Virus Name: Desperado
Aliases: Desperado.2403A, Desperado 1.0
V Status: Rare
Discovered: February, 1994
Symptoms: .COM & .EXE growth; interrupt 12 return moved;
decrease in total system & available free memory
Eff Length: 2,403 - 2,418 Bytes
Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, AVTK, ViruScan, Sweep, IBMAV, NAV,
NAVDX, VAlert, PCScan, ChAV,
AVTK/N, Sweep/N, IBMAV/N, NShld, NAV/N, LProt, Innoc 4.0+
Removal Instructions: Delete infected files
The Desperado virus was submitted in February, 1994, and is from
Sweden. It is a memory resident, fast infector of .COM and .EXE
programs, including COMMAND.COM.
When the first Desperado infected program is executed, this
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, moving interrupt 12's return.
Total system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 6,144 bytes. Interrupt 21 will be
hooked by the virus in memory. Also at this time, the virus will
infect COMMAND.COM if it was not previously infected.
Once memory resident, this virus will infect .COM and .EXE programs
when they are executed or opened. Infected programs will have a
file length increase of 2,403 to 2,418 bytes with the virus being
located at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following text
strings are encrypted within the Desperado viral code:
"Dr White - Sweden 1993SWV"
-V UTSCUT CHKLIST.MS"
"Desperado Virus - Written in Malmo..."
The Desperado virus will not infect programs included in many
of the popular anti-viral utilities. These programs are identified
by the virus by comparing the first four characters of the file name
with the contents of the second text string above.
It is unknown what Desperado does besides replicate.
Known variant(s) of Desperado 1.0 are:
Desperado.2403B: Desperado.2403B, or Desperado 1.1, is a later
version of the Desperado virus. It is functionally
similar to the original virus and contains the same
encrypted text strings.
Origin: Sweden February, 1994.
Desperado.2403C: Desperado.2403C is a later version of the
Desperado virus. It is functionally similar to the
original virus and contains the same encrypted text
Origin: Sweden March, 1994.