DAME Virus


 Virus Name:  DAME 
 Aliases:     Coffeeshop, Coffeeshop 2, CryptLab, DarkStar, Dedicated, 
              Dedicated 2, Dedicated 3, Encroacher, Encroacher 2, Fear, 
              MTE, MTE Spawn, MTE Spawn 2, PC Weevil, Questo 
 V Status:    Rare 
 Discovery:   February, 1992 
 Symptoms:    .COM file growth; system hangs; disk write failures; 
              warm reboots 
 Origin:      Bulgaria 
 Eff Length:  Over 3,000 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, NAV, ViruScan 2.51+, ChAV, 
                    Sweep, NAVDX, VAlert, PCScan, 
                    Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N, NShld, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The DAME, or Dark Avenger Mutating Engine, was submitted in February, 
       1992.  DAME is not actually a virus itself, but rather a polymorphic 
       encryption engine which is used as part of the viruses indicated in 
       this entry.  The encryption produced by the encryption engine is 
       extremely complex, with no more than three bytes remaining constant 
       within replicated samples.  As a result, viruses encrypted with this 
       engine can only be identified by the presence of the encryption 
       engine itself.  One other virus which has be included in VSUM in a 
       separate entry also uses this engine:  Pogue . 
 
       Known viruse(s) using DAME are: 
       Coffeeshop: Received in August, 1992, Coffeeshop is a memory 
             resident infector of .EXE programs which uses a modified 
             version of the Dark Avenger Mutating Engine. It becomes 
             memory resident at the top of system memory but below the 
             640K DOS boundary when the first infected program is executed. 
             Total system and available free memory, as indicated by the 
             DOS CHKDSK program, will have decreased by 12,288 bytes, and 
             interrupt 21 will be hooked.  Once resident, it infects .EXE 
             programs when they are executed, adding 3,820 - 3,974 bytes 
             to their length.  The virus is located at the end of infected 
             files.  The following text string is found within the virus, 
             though it is not visible in infected programs: 
             "Amsterdam - COFFEESHOP!" 
             Origin:  Amsterdam, The Netherlands  August, 1992. 
       Coffeeshop 2: Received in September, 1992, Coffeeshop 2 is 
             based on the Coffeeshop virus described above.  Its size and 
             usage of memory is the same as for the Coffeeshop virus. 
             Once resident, it infects .EXE programs when they are  
             executed, adding 3,845 - 3,977 bytes to their length.  The 
             virus is located at the end of infected files.  The following 
             text strings are found within the virus, though they are not 
             visible in most infected programs: 
             "Amsterdam = COFFEESHOP!" 
             "MK1992" 
             Origin:  Amsterdam, The Netherlands  September, 1992. 
       CryptLab: The CryptLab virus was received in October, 1992. 
             It appears to be from the United States.  CryptLab is a 
             non-resident direct action infector of .COM programs, 
             including COMMAND.COM.  When a program infected with the 
             CryptLab virus is executed, the virus will search the current 
             directory for uninfected .COM programs to infect.  It may 
             infect up to eight .COM programs per execution of an infected 
             program.  Programs infected with the CryptLab virus will have 
             a file length increase of 2,982 to 3,227 bytes with the virus 
             being located at the end of the file.  The file's date and 
             time in the DOS disk directory will not be altered.  The 
             following text strings are encrypted within most replicated 
             samples of the virus: 
             "CryPtLAB:  THE SELECT CHOICE FOR ALL YOUR 
              VIRUS AND TROJANRESEARCH NEEDS!" 
             "-URNST KOUCH." 
             Origin:  United States  October, 1992. 
       DarkStar:  A non-resident direct action .COM program infector, 
             DarkStar will infect up to four .COM programs in the current 
             directory each time an infected program is executed.  If 
             COMMAND.COM is located in this directory, it may become 
             infected.  Programs infected with DarkStar will have a file 
             length increase of 2,971 to 3,235 bytes.  The virus will be 
             located at the end of the infected file.  While this virus will 
             usually be fully encrypted in infected files, occassionally a 
             program will contain an unencrypted copy of the virus.  These 
             unencrypted samples will contain the following text strings: 
             "NightMare Labs, United Kingdom" 
             "- DarKStaR -" 
             "*.COM" 
             Origin:  England  January, 1993. 
       Dedicated:  A non-resident direct action .COM program infector, 
             Dedicated will infect up to four .COM programs in the current 
             directory each time an infected program is executed.  If 
             COMMAND.COM is located in this directory, it may become 
             infected.  Programs infected with DAME will have a file length 
             increase in excess of 3,100 bytes.  The virus will be located 
             at the end of the infected file.  While this virus will usually 
             be fully encrypted in infected files, occassionally a program 
             will contain an unencrypted copy of the virus.  These 
             unencrypted samples will contain the following text string: 
             "We dedicate this little virus to Sara Gordon who wanted to 
              have a virus named after her." 
             Dedicated does not do anything besides replicate. 
             Origin:  Bulgaria  February, 1992. 
       Dedicated 2: Received in September, 1992, Dedicated 2 is 
             based on the Dedicated virus described above.  Unlike 
             the Dedicated virus, Dedicated 2 is a memory resident infector 
             of .COM programs.  It becomes memory resident at the top of 
             system memory but below the 640K DOS boundary when the first 
             infected program is executed.  Total system and available free 
             memory, as indicated by the DOS CHKDSK program, will have 
             decreased by 5,120 bytes.  Interrupt 21 will be hooked. 
             Dedicated 2 infects .COM programs when they are executed, 
             adding approximately 3,582 to 3,758 bytes to their length. 
             The virus will be located at the end of the file.  The file's 
             date and time in the DOS disk directory listing will not be 
             altered.  The following text strings are encrypted within the 
             viral code, and will not be visible in most infected programs: 
             "We dedicate this little virus to Sara Gordon," 
             "who wanted to have it corrected--" 
             "learn to program before you touch M_t_e" 
             Origin:  Bulgaria  September, 1992. 
       Dedicated 3: Received in November, 1992, Dedicated 3 is based on 
             the Dedicated 2 virus described above.  Dedicated 3 is a memory 
             resident infector of .COM and .EXE programs.  Its size in 
             memory is 5,120 bytes, hooking interrupt 21.  Dedicated 3 
             infects .COM and some .EXE programs when they are executed, 
             adding approximately 3,539 to 3,717 bytes to their length. 
             The virus will be located at the end of the file.  The file's 
             date and time in the DOS disk directory listing will have been 
             updated to the current system date and time.  The following text 
             strings are encrypted within the viral code, and will not be 
             visible in most infected programs: 
             "We dedicate this little virus to Sara Gordon," 
             "who wanted to have it corrected--" 
             "learn to program before you touch M_t_e" 
             Origin:  Unknown  November, 1992. 
       Encroacher: A non-resident direct action .COM program infector, 
             Encroacher will infect one .COM program in the current 
             directory when an infected program is executed.  If 
             COMMAND.COM is located in this directory, it may become 
             infected.  Programs infected with Encroacher will have a file 
             length increase of 3,227 to 3,483 bytes with the virus being 
             located at the end of the infected file.  There will be no 
             change to the file's date and time in the DOS disk directory 
             listing.  The following text strings are usually encrypted 
             within the viral code in Encroacher infected programs: 
             "ENCROACHER is here" 
             "*.COM chklist.cps C:\CPAV\CPAV.EXE C:\CPAV\VSAFE.COM *.EXE" 
             Encroacher may interfer with the functioning of Central Point 
             anti-virus when it is installed in its default installation 
             directory. 
             Origin:  Unknown  October, 1992. 
       Encroacher 2: Functionally similar to Encroacher, this is a 
             minor variant. 
             Origin:  Unknown  October, 1992. 
       Fear: A non-resident direct action .COM program infector, Fear 
             will infect up to four .COM programs in the current directory 
             when an infected program is executed.  If COMMAND.COM is 
             located in this directory, it may become infected.  Programs 
             infected with Fear will have a file length increase in excess 
             of 3,000 bytes with the virus being located at the end of the 
             infected file.  There will be no change to the file's date and 
             time in the DOS disk directory listing.  Occassionally, a 
             program infected with the Fear virus will contain an 
             unencrypted copy of the Fear viral code.  These unencrypted 
             samples will contain the following text strings: 
             "Fear Virus Created 2-5-92 by PkaHerONE" 
             "*.COM You have nothing to fear except FEAR itself" 
             Systems infected with the Fear virus may experience warm 
             reboots occurring unexpectedly, or occassionally general 
             failure errors writing to a non-existant drive.  Once all the 
             .COM files in the current directory have been infected, a 
             system hang will occur when an infected program is executed. 
             Origin:  Unknown  March, 1992. 
       MTE Spawn: Received in September, 1992, MTE Spawn is a non- 
             resident spawning or companion virus which uses the Dark 
             Avenger Mutating Engine for its encryption.  When an infected 
             program is executed, this virus will infect one .EXE file 
             in the current directory, creating a 6,666 to 6,746 byte 
             .COM file with the same base file name.  This companion file 
             will have the read-only, system, and hidden attributes set, 
             and its date and time will be the system date and time when 
             infection occurred.  The original .EXE file will not be 
             altered.  Execution of an MTE Spawn virus infected program 
             will result in a system hang after five .EXE files in the 
             current directory have become infected.  Additionally, 
             the companion files will not be executed under some versions 
             of DOS due to a minor bug in this virus.  To disinfect an 
             infection of MTE Spawn, simply delete the hidden companion 
             files. 
             Origin:  Unknown  September, 1992. 
       MTE Spawn 2: Received in October, 1992, MTE Spawn 2 is a non- 
             resident spawning or companion virus which uses the Dark 
             Avenger Mutating Engine for its encryption.  When an infected 
             program is executed, this virus will infect one .EXE file 
             in the current directory, creating a 2,754 to 2,894 byte 
             .COM file with the same base file name.  This companion file 
             will have the read-only, system, and hidden attributes set, 
             and its date and time will be the system date and time when 
             infection occurred.  The original .EXE file will not be 
             altered.  Execution of an MTE Spawn 2 virus infected program 
             will result in a system hang after five .EXE files in the 
             current directory have become infected.  Additionally, 
             the companion files will not be executed under some versions 
             of DOS due to a minor bug in this virus.  To disinfect an 
             infection of MTE Spawn 2, simply delete the hidden companion 
             files. 
             Origin:  Unknown  October, 1992. 
       PC Weevil: A non-resident direct action .COM program infector, 
             PC Weevil will infect six .COM programs in the current directory 
             when an infected program is executed.  It does not infect 
             COMMAND.COM.  Programs infected with PC Weevil will have a file 
             length increase of 3,139 to 3,299 bytes with the virus being 
             located at the end of the infected file.  There will be no 
             change to the file's date and time in the DOS disk directory 
             listing.  The following text strings are usually encrypted 
             within the viral code in PC Weevil infected programs: 
             "PC Weevil: Still the select choice for your virus 
              research needs" 
             "*.COM" 
             "MtE 0.90" 
             System hangs frequently occur when infected programs are 
             executed. 
             Origin:  Unknown  September, 1993. 
       Questo: A non-resident direct action .COM program infector, 
             Questo will infect four .COM programs in the current directory 
             when an infected program is executed.  If COMMAND.COM is 
             located in this directory, it may become infected.  Programs 
             infected with Questo will have a file length increase of 2,971 
             to 3,227 bytes with the virus being located at the end of the 
             infected file.  There will be no change to the file's date and 
             time in the DOS disk directory listing.  The following text 
             strings are usually encrypted within the viral code in Questo 
             infected programs: 
             "Questo sistema  stato infettat*.COM" 
             "MtE 0.90" 
             "????????COM" 
             Origin:  Unknown  November, 1992. 
 
       See:   Groove   Pogue                  

Show viruses from discovered during that infect .

Main Page