When somebody says computer virus, it 'll not take a long time to say the name Dark Avenger. You ask why ? If you do not know, you probably suffer of demencia or something like it. You should know, that Dark Avenger is the best known virus writer since the whole the vx scene started in late '80ties.
Its well known, that Dark Avenger is native Bulgarian, from the town of Sofia, and fan of the band Iron Maiden. But, probably, the only one, who knows Dark Avenger's real identity is Dark Avenger himself. There were some rumors, that the real name of Dark Avenger is Vesselin Bontchev, who now resides "on some lonely island in the northern Atlantic", but Mr.Bontchev, as well as the Dark Avenger, both 're of the same opinion:
It's also well know, that relationship of Dark Avenger to Vesselin could be described as disrespect, resp. very negative. At least one of variants of Dark Avenger virus targets programs cointaining string 'Vesselin Bontchev' and causes system hang if such a programm is run. Moreover, sometines Dark Avenger did use expression " the weassel " when he talked about Bontchev. But we have to say without Bontchev, there would be Dark Avenger not so "popular" and well known in the whole world. In the fact, Bontchev is the man, who's responsible for the worldwide publicity of Dark Avenger. The legend himself claimed, Bontchev made him to Dark Avenger. Moreover, it should be Bontschev, who engouraged people to create viruses by some of his articles and publications. According to Dark Avenger, some stuff written by Bontchev can be a good tutorial for those people, who want to code viruses and have no other information available.
Some 9 or 10 years ago, when there was not such a lot of viruses out, one young Bulgarian boy was interesting in rather mysterious and not so well known area in computer science - the viruses. He thought of "making a programm that would travel on its own .. and to get to the places its creatore could never go". After reading an articles which discussed computer viruses he decided to write such a piece of code. He started work on his first virus in September 1988. Ocassionally he had access to an 4.77 MHz XT with no hardisk. As he finished the virus, he added destructive code in it, becauses he had no idea, what else should he put in. He thought, the virus 'll never travel outside the city. Errare humanum est - to make errors is human. Dark Avenger was wrong in this case. His 651 bytes long virus, which cointained string 'Eddie lives' arrived in spring 1989 to the USA.
Technically, the Eddie.651 virus is simple TSR with hooked INT 21h, infecting both EXE and COM files on their execution. Infected file is marked within the timestamp - the value of the second is set to value 62. Besides INT 21h function EXEC virus hooks also the funcions FIND_FIRST_FCB and FIND_NEXT_FCB. These functions are called on DOS command DIR. And if such a call occurs, the virus subtract from size of the file with the second field in timestamp set to 62 its size. As virus doesn't check the size of such a file, if the file is smaller than 651 bytes, DIR shows filesize in gigabytes range. Virus cointains, as said before, string 'Eddie lives'.
Next Dark Avenger's production is well know - the Dark Avenger virus family with members 1800, 2000 and 2100 bytes long. All 3 members of this family are residen Com'n'Exe infectors. New idea in this family was the "fast infector" - files were infected not only when execuded, but also when opening, closing, changing attributes and creating. Not so new was the payload - when some condition were met, virus overwrites sectors at harddisk at random. Really cruel. There were also some texts in this viruses...
[ofcos, every virus should have some texts, othervise it gets name like 4096 or 193257609 :) ]
Eddie lives...somewhere in time This program was written in the city of Sofia (C) 1988-89 Dark Avenger
As described above, Dark Avenger loves Vesselin Bontchev so much, that he included in Dark Avenger.2000 following lovely text string:
(C) 1989 by Vesselin Bontchev
And as the final nail, if programm to be run contains string "Vesselin Bontchev", virus hangs the system. In my humble opinion, Dark Avenger tried here to make Bontchev's live to hell with such a overkill payload. Ofcos, the nice stuff with trashing sectors on the harddisk has not been removed from the viral code. As for the 2100 bytes variant, it has some improvements in hiding the size increase of infected programs and so. Sources released by the author are included in this issue of our zine.
After some time, Dark Avenger released something absolutely unknown to the world. His another first was the hyped Mte - first ever poly engine.
Polymorphism was something new at such a level [ :) ]. Mr. Skulason ( if i remember, responsible for fuckprot or whatsoever) wrote in Virus Bulletin in April '92 that Mte should be "a torture test for R&D departaments of all the antivirus companies". Moreover editor of the Virus Bulletin noticed that "Dark Avenger tech support is presumably better than offered by certain anti-virus vendors". He he he : )))))))
There were two releases of the Mte. In August 1991 was released Mte 0.91á and in April 1992 was released Mte 1.00á . The antivirus vendors were long time not able to detect Mte with 100% reliability. Detection rates were from 0% in case of Xtree's Allsafe v.4.1 or even worse, hanging the computer in case of CPAV and CPAVSOS v.14 to full 100% detection in case of IBM antivirus, F-prot, TBAV and many others.
Another Dark Avenger's first in the world was the COMMANDER BOMBER virus. In the time of its appearence, substantial part of AV programs didn't follow the code flow, just scaned for signatures near the file beginning and the file end. And now imagine the suprising of that so called virus researchers, that some blody virus is out which is not only inserted somewhere in the middle of the file, but also couple of island of code bound with calls and jmps leads to the virus body. [ I would like to see their faces in that historical moment ]. But in medias res .... COMMANDER BOMBER is inserting COM infector. Its own body is 22596 bytes long, but the added code is acually 4096 bytes long. Virus infects COM files on their execution, if their size is greater that 5120 bytes and less than 61183 bytes. COMMAND.??? 'll be never infected. Virus selects in the file 4 KB long block an this block is appended to the file. In this gap 'll be placed the viral code. Then virus generates some kind of garbage code, which brings the processing to the main virus code. Then only thing what garbage generation watches is the stack and SP value. But, unfortunately, garbage code generation seems to be buggy. ( about 1 of 8 samples generated not able to work ). This may be also the reason, why COMMANDER BOMBER wasn't so successfull when we compare with other Dark Avenger's viruses. This virus has also another interesting feature - absolutely no signature in files. But the files do not become infected over and over again. This is handled but very siple trick. When intected file is to be executed, virus saves its memory image to disk and then repares and execudes it. So if the file is infected twice, second infection rebuilds the file as it was with only one infection. And this firs infection saves to disk file infected only one. It is very handy trick, and you can try to code something like this.... Just for your information, Jim Bates, the man which is probably responsible for Black Baron of England (aka Christopher Pile) fate, had the feeling that "althoug there are similarities of style, ... [stuff deleted] ... that code is beyond his [ Dark Avenger's ] limited capabilities."
In my humble opinion, COMMANDER BOMBER has two main weak points.
The first weak point is the garbage generation. Invalid opcodes are not very good in virus code, everyone should avoid them. Otherwise, there is ABSOLUTELY no change to enter the "In the wild list".
The second weak point of this virus is the lack of encryption or poly engine. It could be a very heavy to defeat virus, if the Dark Aveger combined Mte polymorphism and the COMMANDER BOMBER midfile infection. But viruses of the later years used such a combination and this leads to very successful One_Half virus by Vyvojar. Sources are included in this issue.
But, as not everyone has the necessary abilities, *-Zine is proud to present you the dizzasembly of this famous virus. Enjoy it.
Resources used to write this article:
Author is not resposible for the bugs in the article. Moreover author in not responsible at all.
Especially 4 Sara G. : What a fuck was the joke with anorak ?
This article is (c) 1997 by the *-Zine. All it's use in whatever form is prohibited without explicit written permission of the *-Zine stuff members. Eventual violation of this restriction will be subject to prosecution. All the legal costs of the *-Zine stuff 'll be payed by the prosecuded.