Type File virus
Creator Dark Avenger
Date Discovered 1992.05
Place of Origin Sophia, Bulgaria
Source Language Assembly
Platform DOS
File Type(s) .com
Infection Length 4,096 bytes
Reported Costs

Commander, also called Commander Bomber is a virus coded by Dark Avenger. Its method of infecting files was particularly interesting and it made the work of antivirus researchers very difficult. It was also one of his viruses to use his Mutation Engine.


When an infected file is executed, Commander becomes memory resident in low system memory. It infects .com files as they are executed.

Commander inserts its main body somewhere in the middle of the file. A block of code is placed at the beginning of the file, which points to another block of randomly-placed code in the file, which itself points to another randomly-placed block of code. There may be several of these before the code finally points to the virus body.

These blocks of code are polymorphic and use the Dark Avenger Mutation Engine. In addition, the blocks contain a great deal of garbage code, making them all the more difficult to read. Furthermore, the ways to transfer control to the next block of code and to the virus body are obfuscated. The virus body itself is not encrypted.

The beginning of the virus body contains the unencrypted text:


  [DAME]  [DAME]


Commander made the work of virus researchers very difficult. The infection method required scanners to search entire files to find the virus and its blocks. Very few scanners in the early 1990's could do this effectively and fewer could do it quickly.


Commander takes its name from the COMMANDER BOMBER text at the beginning of the virus body. Antivirus vendors have usually called it something along the line of Commander Bomber (sometimes the first word shortened to Cmdr) or Bomber. Bomber is also a Malaysian virus from about the same time.

Other Facts

In The Art of Computer Virus Research and Defense Peter Szor says Commander was coded in late 1993 and was one of Dark Avenger's last viruses. All other sources say it is from early 1992, and one post to Virus-L proves that it was known as early as May of 1992.


Peter Szor. The Art of Computer Virus Research and Defense, pp 142, 143. Addison Wesley, Pearson Education, Symantec Press: 2005. ISBN 0-321-30454-3

Mikko Hypponen. F-Secure Antivirus, F-Secure Virus Descriptions : Bomber.

VIRUS-L Digest, Volume 5 : Issue 169, "Re: KEY Press virus & McAfee v97 (PC)". 1992.10.28

Patricia Hoffman. Online VSUM, Cmdr Bomber Virus.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License