Dan Virus
Virus Name: Dan
Aliases: Dan.585
V Status: New
Discovery: January, 1996
Symptoms: .COM file growth; decrease in available free memory;
file date/time changes
Origin: Argentina
Eff Length: 585 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: IBMAV, NAV, NAVDX, AVTK, ViruScan 2.50+, ChAV, PCScan,
IBMAV/N, NAV/N, AVTK/N, NShld 2.32 9606+, Innoc 4.0+
Removal Instructions: Delete infected files
General Comments:
The Dan or Dan.585 virus was received in January, 1996, and appears
to be from Argentina. Dan is a memory resident infector of .COM
files, including COMMAND.COM.
When the first Dan infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Available
free memory, as indicated by the DOS CHKDSK program from DOS 5.0,
will have decreased by 864 bytes. Interrupt 21 will be hooked by the
virus in memory.
Once the Dan virus is memory resident, it will infect .COM programs,
including COMMAND.COM, when they are executed. Infected .COM files
will have a file length increase of 585 bytes with the virus being
located at the end of the file. The program's date and time in the
DOS disk directory listing will have been updated to the current
system date and time when infection occurred. The following text
strings are visible within the viral code:
"ANTI-VIR.DAT"
"CHKLIST.MS"
It is unknown what the Dan virus may do besides replicate.
Known variant(s) of Dan are:
Dan.1092: Also received in January, 1996, this is a 1,092 byte
variant of the Dan virus described above. Its size in memory
is 2,752 bytes, hooking interrupts 09 and 21. Infected .COM
files will have a file length increase of 1,092 bytes, though
this file length increase will not be visible in the DOS disk
directory listing when the virus is memory resident. The virus
will be located at the end of the infected file. The program's
date and time in the DOS disk directory listing will not appear
to be altered, though the seconds field will have been set to
"58". The following text strings are encrypted within the
viral code:
"Virus ANTI-ENTER v1.0"
"(c) 1995 El Cancerbero [DAN]"
"ARGENTINA"
"DIGITAL ANARCHY"
"C:CHKLIST.MS C:CHKLIST.CPS C:ZZ##.IM anti-vir.dat ANTI-VIR.DAT"
Origin: Argentina January, 1996.
Dan.1500: Also received in January, 1996, this is a 1,500 byte
non-resident direct action variant of the Dan virus described
above. It infects one .COM file located in the current directory
when an infected program is executed. Infected programs will
have a file length increase of 1,500 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will not be altered. The
following text string is encrypted within the viral code:
"Aqui no estoy!"
Origin: Argentina January, 1996.
Dan.1871: Also received in January, 1996, this is a 1,871 byte
memory resident variant of the Dan virus described above. Its
size in memory is 3,744 bytes, hooking interrupt 21. Once
resident, it infects .COM and some .EXE files, including
COMMAND.COM, when they are executed. Infected programs, other
than COMMAND.COM, will have a file length increase of 1,871
bytes, though this file length increase will be hidden when the
virus is memory resident. The virus will be located at the end
of the file. The file's date and time in the DOS disk
directory listing will not appear to be altered, though the
seconds field will have been set to "56". In the case of
COMMAND.COM, the virus will overwrite the end of the file which
normally contains hex "00" characters, so there will be no file
length increase. The seconds field in the file date and time in
the DOS disk directory will have been set to "06". The following
text strings are encrypted within the viral code:
"Disk Full."
"Press any key to continue"
"This program was written in Argentina"
"Copyright 1994-1995 Cancerbero [DAN]"
"C:CHKLIST.MS C:\CHKLIST.CPS C:ZZ##.IM anti-vir.dat
ANTI-VIR.DAT"
"Greetings to all [DAN] members"
Origin: Argentina January, 1996.