Bomber Virus


 Virus Name:  Bomber 
 Aliases:     Bomb 
 V Status:    Rare 
 Discovery:   May, 1992 
 Symptoms:    .COM file growth; decrease in total system & available free 
              memory; sluggish DOS DIR commands; beeps & message; 
              boot failures; file allocation errors 
 Origin:      Malaysia 
 Eff Length:  2,204 Bytes 
 Type Code:   PRhCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  ViruScan, NAV, NAVDX, IBMAV, AVTK 7.68+, 
                    NShld, NAV/N, IBMAV/N, AVTK/N 7.68+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Bomber, or Bomb, virus was received from Malaysia in May, 1992. 
       This virus is a memory resident infector of .COM files which employs 
       some stealth technology to avoid detection.  It activates on 
       August 31st, Malaysia's Independence Day. 
 
       When the first program infected with the Bomber virus is executed, 
       the Bomber virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Interrupt 12's return 
       will not be moved.  Total system and available free memory, as 
       indicated by the DOS CHKDSK program, will have decreased by 3,072 
       bytes.  Interrupts 1C, 20, 21, and 22 will be hooked by the Bomber 
       virus in memory. 
 
       Once the Bomber virus is memory resident, it will infect .COM 
       programs when they are executed or opened.  It will also infect all 
       of the .COM programs in a directory when a DOS DIR command is 
       issued.  Programs infected with the Bomber virus will have a file 
       length increase of 2,204 bytes, though the increase in size will be 
       hidden if Bomber is memory resident.  The virus will be located at 
       the beginning of the infected files.  Infected programs will not have 
       their file date and time altered in the DOS disk directory listing. 
       Bomber is an encrypted virus, and no text strings are visible within 
       the viral code in infected programs. 
 
       The Bomber virus activates on August 31st, Malaysia's Independence 
       Day.  On August 31st, the virus will occassionally emit three beeps 
       and the following message will be displayed: 
 
                     "! I AM THE STEALTH BOMBER ! 
 
                     ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ 
                     ³   I BELONG TO THE NEW      ³ 
                     ³   GENERATION OF COMPUTER   ³ 
                     ³ VIRUSES.  LIKE THE STEALTH ³ 
                     ³   BOMBER, I GO UNDETECTED  ³ 
                     ³      BY ENEMY RADAR        ³ 
                     ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ 
 
                     !!!      DO NOT PANIC      !!! 
 
                          I AM SHOWING OFF HOW 
                       EASY I CAN EVADE YOUR ANTI 
                       VIRUS SYSTEM - I DO NO HARM" 
 
       Bomber doesn't do anything malicious besides displaying its 
       message.  However, systems infected with the Bomber virus will 
       experience boot failures after COMMAND.COM becomes infected, as 
       well as file allocation errors being detected by the DOS CHKDSK 
       program when Bomber is memory resident.  Lastly, the DOS DIR 
       command will be very sluggish. 
 
       Known variant(s) of Bomber are: 
       Messy: Also received from Malaysia in May, 1992, Messy is a 
              variant of the Bomber virus.  The major change between the 
              two viruses is that Messy will emit more beeping on 
              August 31st, and display the following message: 
 
                         "MESSY VIRUS 
                       CATCH ME IF YOU CAN !!! 
                         HA..HA..HA!!!"

Show viruses from discovered during that infect .

Main Page