Dark Avenger

Classification

Category :

Malware

Type :

Virus

Aliases :

Eddie

Summary

This virus contains two interesting text strings:

"Eddie lives...somewhere in time"

and

 "This program was written in the city of Sofia (C) 1988-89 Dark Avenger"

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The "Eddie" mentioned above is probably the skeleton mascot of the heavy metal band "Iron Maiden". This was the first virus reported to have originated in Bulgaria, but it was soon followed by many other.

There is only one thing unusual about this virus. It remains resident, just as many other viruses, but it will not only infect a program when it is run, but also when the program file is read. This means that a harmless program that opened each .EXE and .COM file in turn, for example to check them for infection, could easily cause an "epidemic".

The virus will infect .EXE and .COM files, adding 1800 bytes to the length. COMMAND.COM will be one of the first programs to become infected.

When an infected program is run, there is a 1-in-16 chance that the virus will trash a random disk sector.

One 2000 byte variant is known. It is also from Bulgaria, probably written by the same author as the original one. It has been improved a bit - you won't see an increase in file length when you issue a DIR command. A third variant, also by "Dark Avenger" is 2100 bytes long. It is possible that a 1028 byte variant is the earliest version of the virus, but this is not certain, but he is probably the author of a 1801 byte version as well.

Inside the 2000 byte variant one finds the following string

 Copy me - I want to travel

or, in some versions

 Only the Good die young...

The virus author also included the following string in the virus:

 Copyright (C) 1989 by Vesselin Bontchev

Vesselin Bontchev, however, is a Bulgarian virus researcher and has nothing to do with the creation of the virus. The reason this message appears is that the virus searches for it in every program executed, and halts the computer when it is found, for example if one of his anti-virus programs is run.

Variant:Apocalypse-2, CB-1530, Milana, MIR, Outland, Ps!ko, Quest,Zeleng

The author of the virus - Dark Avenger - has distributed the source to the virus, and these variants are probably created by different authors.