DAME Virus
Virus Name: DAME
Aliases: Coffeeshop, Coffeeshop 2, CryptLab, DarkStar, Dedicated,
Dedicated 2, Dedicated 3, Encroacher, Encroacher 2, Fear,
MTE, MTE Spawn, MTE Spawn 2, PC Weevil, Questo
V Status: Rare
Discovery: February, 1992
Symptoms: .COM file growth; system hangs; disk write failures;
warm reboots
Origin: Bulgaria
Eff Length: Over 3,000 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: F-Prot, AVTK, IBMAV, NAV, ViruScan 2.51+, ChAV,
Sweep, NAVDX, VAlert, PCScan,
Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N, NShld, LProt
Removal Instructions: Delete infected files
General Comments:
The DAME, or Dark Avenger Mutating Engine, was submitted in February,
1992. DAME is not actually a virus itself, but rather a polymorphic
encryption engine which is used as part of the viruses indicated in
this entry. The encryption produced by the encryption engine is
extremely complex, with no more than three bytes remaining constant
within replicated samples. As a result, viruses encrypted with this
engine can only be identified by the presence of the encryption
engine itself. One other virus which has be included in VSUM in a
separate entry also uses this engine: Pogue .
Known viruse(s) using DAME are:
Coffeeshop: Received in August, 1992, Coffeeshop is a memory
resident infector of .EXE programs which uses a modified
version of the Dark Avenger Mutating Engine. It becomes
memory resident at the top of system memory but below the
640K DOS boundary when the first infected program is executed.
Total system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 12,288 bytes, and
interrupt 21 will be hooked. Once resident, it infects .EXE
programs when they are executed, adding 3,820 - 3,974 bytes
to their length. The virus is located at the end of infected
files. The following text string is found within the virus,
though it is not visible in infected programs:
"Amsterdam - COFFEESHOP!"
Origin: Amsterdam, The Netherlands August, 1992.
Coffeeshop 2: Received in September, 1992, Coffeeshop 2 is
based on the Coffeeshop virus described above. Its size and
usage of memory is the same as for the Coffeeshop virus.
Once resident, it infects .EXE programs when they are
executed, adding 3,845 - 3,977 bytes to their length. The
virus is located at the end of infected files. The following
text strings are found within the virus, though they are not
visible in most infected programs:
"Amsterdam = COFFEESHOP!"
"MK1992"
Origin: Amsterdam, The Netherlands September, 1992.
CryptLab: The CryptLab virus was received in October, 1992.
It appears to be from the United States. CryptLab is a
non-resident direct action infector of .COM programs,
including COMMAND.COM. When a program infected with the
CryptLab virus is executed, the virus will search the current
directory for uninfected .COM programs to infect. It may
infect up to eight .COM programs per execution of an infected
program. Programs infected with the CryptLab virus will have
a file length increase of 2,982 to 3,227 bytes with the virus
being located at the end of the file. The file's date and
time in the DOS disk directory will not be altered. The
following text strings are encrypted within most replicated
samples of the virus:
"CryPtLAB: THE SELECT CHOICE FOR ALL YOUR
VIRUS AND TROJANRESEARCH NEEDS!"
"-URNST KOUCH."
Origin: United States October, 1992.
DarkStar: A non-resident direct action .COM program infector,
DarkStar will infect up to four .COM programs in the current
directory each time an infected program is executed. If
COMMAND.COM is located in this directory, it may become
infected. Programs infected with DarkStar will have a file
length increase of 2,971 to 3,235 bytes. The virus will be
located at the end of the infected file. While this virus will
usually be fully encrypted in infected files, occassionally a
program will contain an unencrypted copy of the virus. These
unencrypted samples will contain the following text strings:
"NightMare Labs, United Kingdom"
"- DarKStaR -"
"*.COM"
Origin: England January, 1993.
Dedicated: A non-resident direct action .COM program infector,
Dedicated will infect up to four .COM programs in the current
directory each time an infected program is executed. If
COMMAND.COM is located in this directory, it may become
infected. Programs infected with DAME will have a file length
increase in excess of 3,100 bytes. The virus will be located
at the end of the infected file. While this virus will usually
be fully encrypted in infected files, occassionally a program
will contain an unencrypted copy of the virus. These
unencrypted samples will contain the following text string:
"We dedicate this little virus to Sara Gordon who wanted to
have a virus named after her."
Dedicated does not do anything besides replicate.
Origin: Bulgaria February, 1992.
Dedicated 2: Received in September, 1992, Dedicated 2 is
based on the Dedicated virus described above. Unlike
the Dedicated virus, Dedicated 2 is a memory resident infector
of .COM programs. It becomes memory resident at the top of
system memory but below the 640K DOS boundary when the first
infected program is executed. Total system and available free
memory, as indicated by the DOS CHKDSK program, will have
decreased by 5,120 bytes. Interrupt 21 will be hooked.
Dedicated 2 infects .COM programs when they are executed,
adding approximately 3,582 to 3,758 bytes to their length.
The virus will be located at the end of the file. The file's
date and time in the DOS disk directory listing will not be
altered. The following text strings are encrypted within the
viral code, and will not be visible in most infected programs:
"We dedicate this little virus to Sara Gordon,"
"who wanted to have it corrected--"
"learn to program before you touch M_t_e"
Origin: Bulgaria September, 1992.
Dedicated 3: Received in November, 1992, Dedicated 3 is based on
the Dedicated 2 virus described above. Dedicated 3 is a memory
resident infector of .COM and .EXE programs. Its size in
memory is 5,120 bytes, hooking interrupt 21. Dedicated 3
infects .COM and some .EXE programs when they are executed,
adding approximately 3,539 to 3,717 bytes to their length.
The virus will be located at the end of the file. The file's
date and time in the DOS disk directory listing will have been
updated to the current system date and time. The following text
strings are encrypted within the viral code, and will not be
visible in most infected programs:
"We dedicate this little virus to Sara Gordon,"
"who wanted to have it corrected--"
"learn to program before you touch M_t_e"
Origin: Unknown November, 1992.
Encroacher: A non-resident direct action .COM program infector,
Encroacher will infect one .COM program in the current
directory when an infected program is executed. If
COMMAND.COM is located in this directory, it may become
infected. Programs infected with Encroacher will have a file
length increase of 3,227 to 3,483 bytes with the virus being
located at the end of the infected file. There will be no
change to the file's date and time in the DOS disk directory
listing. The following text strings are usually encrypted
within the viral code in Encroacher infected programs:
"ENCROACHER is here"
"*.COM chklist.cps C:\CPAV\CPAV.EXE C:\CPAV\VSAFE.COM *.EXE"
Encroacher may interfer with the functioning of Central Point
anti-virus when it is installed in its default installation
directory.
Origin: Unknown October, 1992.
Encroacher 2: Functionally similar to Encroacher, this is a
minor variant.
Origin: Unknown October, 1992.
Fear: A non-resident direct action .COM program infector, Fear
will infect up to four .COM programs in the current directory
when an infected program is executed. If COMMAND.COM is
located in this directory, it may become infected. Programs
infected with Fear will have a file length increase in excess
of 3,000 bytes with the virus being located at the end of the
infected file. There will be no change to the file's date and
time in the DOS disk directory listing. Occassionally, a
program infected with the Fear virus will contain an
unencrypted copy of the Fear viral code. These unencrypted
samples will contain the following text strings:
"Fear Virus Created 2-5-92 by PkaHerONE"
"*.COM You have nothing to fear except FEAR itself"
Systems infected with the Fear virus may experience warm
reboots occurring unexpectedly, or occassionally general
failure errors writing to a non-existant drive. Once all the
.COM files in the current directory have been infected, a
system hang will occur when an infected program is executed.
Origin: Unknown March, 1992.
MTE Spawn: Received in September, 1992, MTE Spawn is a non-
resident spawning or companion virus which uses the Dark
Avenger Mutating Engine for its encryption. When an infected
program is executed, this virus will infect one .EXE file
in the current directory, creating a 6,666 to 6,746 byte
.COM file with the same base file name. This companion file
will have the read-only, system, and hidden attributes set,
and its date and time will be the system date and time when
infection occurred. The original .EXE file will not be
altered. Execution of an MTE Spawn virus infected program
will result in a system hang after five .EXE files in the
current directory have become infected. Additionally,
the companion files will not be executed under some versions
of DOS due to a minor bug in this virus. To disinfect an
infection of MTE Spawn, simply delete the hidden companion
files.
Origin: Unknown September, 1992.
MTE Spawn 2: Received in October, 1992, MTE Spawn 2 is a non-
resident spawning or companion virus which uses the Dark
Avenger Mutating Engine for its encryption. When an infected
program is executed, this virus will infect one .EXE file
in the current directory, creating a 2,754 to 2,894 byte
.COM file with the same base file name. This companion file
will have the read-only, system, and hidden attributes set,
and its date and time will be the system date and time when
infection occurred. The original .EXE file will not be
altered. Execution of an MTE Spawn 2 virus infected program
will result in a system hang after five .EXE files in the
current directory have become infected. Additionally,
the companion files will not be executed under some versions
of DOS due to a minor bug in this virus. To disinfect an
infection of MTE Spawn 2, simply delete the hidden companion
files.
Origin: Unknown October, 1992.
PC Weevil: A non-resident direct action .COM program infector,
PC Weevil will infect six .COM programs in the current directory
when an infected program is executed. It does not infect
COMMAND.COM. Programs infected with PC Weevil will have a file
length increase of 3,139 to 3,299 bytes with the virus being
located at the end of the infected file. There will be no
change to the file's date and time in the DOS disk directory
listing. The following text strings are usually encrypted
within the viral code in PC Weevil infected programs:
"PC Weevil: Still the select choice for your virus
research needs"
"*.COM"
"MtE 0.90"
System hangs frequently occur when infected programs are
executed.
Origin: Unknown September, 1993.
Questo: A non-resident direct action .COM program infector,
Questo will infect four .COM programs in the current directory
when an infected program is executed. If COMMAND.COM is
located in this directory, it may become infected. Programs
infected with Questo will have a file length increase of 2,971
to 3,227 bytes with the virus being located at the end of the
infected file. There will be no change to the file's date and
time in the DOS disk directory listing. The following text
strings are usually encrypted within the viral code in Questo
infected programs:
"Questo sistema Š stato infettat*.COM"
"MtE 0.90"
"????????COM"
Origin: Unknown November, 1992.
See: Groove Pogue