
        The following text was captured on the Executive Network's
        Main Board as posted by the sysop there.  It has been made
        available to others via some of the ILink echo mail
        conferences and published in this file with the author's
        permission.


=======================================================================

Date: 04-23-91 (10:42)                 BBS: Executive Network
  To: CARY LOCHARD                  Phone#: 914-667-4567
From: ANDY KEEVES                     Read: 04-23-91 (09:23)
Subj: DARK AVENGER INFO             Status: PUBLIC MESSAGE
Conf: MAIN BOARD (0)             Read Type: READING ALL (R/O)

-> I run SCANV pretty often but I gather that it wouldn't help in this
-> case.  What are the symtoms, means of identifying and methods of
-> cleansing my once-pristene system if gasp!-I'm infected.


        Although I am by no means an expert on this subject, the
following information has been compiled from various sources about
the Dark Avenger virus.  You must, however, note that the Dark
Avenger we are now dealing with is in fact a variation or mutation
of the documented ones, thus the descriptions and characteristics
listed below may or may not be 100% accurate.  The identification
listed at the end, however, IS accurate and reliable!


        The Dark Avenger virus has also been known as the Black
Avenger, Eddie and Diana.  It was first isolated in the United
States at the University of California at Davis.  It is thought to
have been developed in Europe (Bulgaria) though this may well be
speculation.

        The Dark Avenger infects .COM, .EXE, and overlay files,
including COMMAND.COM.  The virus will install itself into system
memory, becoming resident, and is extremely prolific at infecting
any executable files that are opened for any reason.  This includes
using the DOS COPY and XCOPY commands to copy uninfected files, both
the source and the target files will end up being infected.  Infected
files will have their lengths increased by 1,800 bytes.

        The Dark Avenger Virus does perform malicious damage.  The
virus maintains a counter in the disk's boot sector.  After each
sixteenth file is infected, the virus will randomly overwrite a
sector on the disk with a copy of the disk's boot sector.  If the
randomly selected sector is a portion of a program or data file,
the program or data file will be corrupted.  Programs and data files
which have been corrupted by a sector being overwritten are permanently
damaged and cannot be repaired since the original sector is lost.

        If you are infected with Dark Avenger, shut-down your computer
and reboot from a Write Protected boot diskette for the system,
then carefully use a disinfector, following all instructions.
Be sure to re-scan the system for infection once you have finished
disinfecting it.

        The conventional Dark Avenger virus contains the words:
"The Dark Avenger, copyright 1988, 1989", as well as the message:
"This program was written in the city of Sofia.  Eddie lives....
Somewhere in Time!".

        This virus bears no resemblance or similarity to the Jerusalem
viruses, even though they are similar in size.

Known variant(s) of Dark Avenger are:

   Dark Avenger-B : Very similar to the Dark Avenger virus, the major
                    difference is that .COM files will be reinfected,
                    adding 1,800 bytes to the file length with each
                    infection.  This variant also becomes memory
                    resident in high system memory instead of being a
                    low system memory TSR.  Text strings found in the
                    virus's code include: "Eddie lives...somewhere in
                    time!", "Diana P.", "This program was written in
                    the city of Sofia", "(C)1988-1989 Dark
                    Avenger".

   New variation  : You can identify text strings at the end of
                    the code file, such as "(C) 1991 RABID
                    International Development Corp!" and "Scan
                    String Killer Test".


        Although the conventional Dark Avenger is identified by
SCANV (from McAffe) the latest one is NOT.  You can identify it by
using an external identification file with either SCANV or CLEAN.
To use an external file, simply add the following text to your
SCAN.EXE or CLEAN.EXE command line: "/EXT filespec" where
'filespec' should point to a text file.  The text file should
contain the following information:

#New Dark Avenger strain...
"4375EF74192EA151" Dark Avenger (new)

The first line is simply a comment (see SCANV documentation for
more info).  The characters within the quotes on the second line
MUST be entered EXACTLY as you see them in order to identify the
virus.  If/when found, SCANV will display the identification
following the quoted text from the second line.


        This is all we have on this variation.  Hope it will help
some.  Good luck!




                                Regards ..   Andy

=======================================================================

