Desperado Virus


 Virus Name:  Desperado 
 Aliases:     Desperado.2403A, Desperado 1.0 
 V Status:    Rare 
 Discovered:  February, 1994 
 Symptoms:    .COM & .EXE growth; interrupt 12 return moved; 
              decrease in total system & available free memory 
 Origin:      Sweden 
 Eff Length:  2,403 - 2,418 Bytes 
 Type Code:   PRtAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, ViruScan, Sweep, IBMAV, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    AVTK/N, Sweep/N, IBMAV/N, NShld, NAV/N, LProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Desperado virus was submitted in February, 1994, and is from 
       Sweden.  It is a memory resident, fast infector of .COM and .EXE 
       programs, including COMMAND.COM. 
 
       When the first Desperado infected program is executed, this 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, moving interrupt 12's return. 
       Total system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 6,144 bytes.  Interrupt 21 will be 
       hooked by the virus in memory.  Also at this time, the virus will 
       infect COMMAND.COM if it was not previously infected. 
 
       Once memory resident, this virus will infect .COM and .EXE programs 
       when they are executed or opened.  Infected programs will have a 
       file length increase of 2,403 to 2,418 bytes with the virus being 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will not be altered.  The following text 
       strings are encrypted within the Desperado viral code: 
 
               "Dr White - Sweden 1993SWV" 
               "SCANCLEAVSHITOOLMSAVCPAVVSAFF-PRVIRSTBAVTBSCTBCLTBUT 
                -V UTSCUT  CHKLIST.MS" 
               "Desperado Virus - Written in Malmo..." 
 
       The Desperado virus will not infect programs included in many 
       of the popular anti-viral utilities.  These programs are identified 
       by the virus by comparing the first four characters of the file name 
       with the contents of the second text string above. 
 
       It is unknown what Desperado does besides replicate. 
 
       Known variant(s) of Desperado 1.0 are: 
       Desperado.2403B: Desperado.2403B, or Desperado 1.1, is a later 
                      version of the Desperado virus.  It is functionally 
                      similar to the original virus and contains the same 
                      encrypted text strings. 
                      Origin:  Sweden  February, 1994. 
       Desperado.2403C: Desperado.2403C is a later version of the 
                      Desperado virus.  It is functionally similar to the 
                      original virus and contains the same encrypted text 
                      strings. 
                      Origin:  Sweden  March, 1994.

Show viruses from discovered during that infect .

Main Page