Virus Name: V1024
Aliases: Dark Avenger III, Stealth Virus, Diamond, 1024
V Status: Rare
Discovered: May, 1990
Symptoms: TSR; decrease in available free memory
Eff Length: 1,024 Bytes
Type Code: PRA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, NAV, AVTK, F-Prot, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The V1024, or Dark Avenger III, virus was discovered in Bulgaria in
April 1990 by Daniel Kalchev. V1024 is a memory resident generic
infector of .COM and .EXE files. It is believed to have been
written by the same person that wrote Dark Avenger and V2000. This
virus may actually be an earlier version of the Dark Avenger virus,
it has many of the same characteristics, though it does not infect
all files when they are opened for any reason.
The first time a program infected with V1024 is executed, the virus
will install itself memory resident. At this time, it checks to
see if several interrupts are being monitored, including interrupts
1 and 3. If interrupts 1 and 3 are monitored, V1024 allow the
current program to run, but any subsequent program executed will
hang the system and V1024 will not replicate. When V1024 is memory
resident, infected systems will experience a decrease in free
memory by 1,072 bytes. Total system memory will not have changed.
The virus will have remapped several interrupts by altering their
location in the interrupt map page in memory. These interrupts
will now be controlled by V1024.
After V1024 becomes memory resident, the virus will infect any
program executed which is greater in length than 1,024 bytes. Both
.COM and .EXE files are infected, COMMAND.COM is not infected.
Infected files increase in length by 1,024 bytes, though this
increase will not appear if the virus is present in memory and a
DIR listing is done.
V1024 infected files can be identified by a text string which
appears very close to the end of infected files. The text string
V1024 does not appear contain any activation date.
Known variant(s) of V1024 are:
Diamond: Similar to V1024, Diamond's main difference is that it
becomes memory resident at the top of system memory but
below the 640K DOS boundary. Total system memory, and
available free memory, as measured by the DOS ChkDsk
program will decrease by 1,072 bytes. Interrupts 08 and
21 will be hooked by the virus.
Diamond-B: Similar to Diamond, this variant has been slightly
altered to avoid detection by some anti-viral programs.
See: Alfa Dark Avenger Diamond V651 V2000 Ah Damage