Type File virus
Creator Qark
Date Discovered 1994.07
Place of Origin Australia
Source Language Assembly
Platform DOS
File Type(s) .com, .exe
Infection Length 1,093 bytes
Reported Costs

Daddy is a memory resident infector of MS-DOS .COM and .EXE files, including Daddy's features include encryption targeted against certain anti-virus products, deletion of anti-virus checksum databases and directory stealth. It is a member of Qark's "Incest family" that also includes Mummy, Sister and Brother.


Daddy goes memory resident by reducing the size of MCB (Memory Control Block) of the host if this is the last MCB in the chain. Daddy then creates its own MCB with owner field set to 0x0008 - and hooks the INT 21h vector directly. Daddy's decrypter plays a trick with the CPU prefetch to hamper debugging, as well as F-PROT anti-virus and TBCLEAN (generic disinfection utility included with Thunder-Byte Anti-Virus).

Daddy infects files when they are executed or opened, or when their dates or attributes are queried. Daddy also executes it directory size stealth on FCB findfirst/findnext calls. Daddy uses fairly standard algorithms when infecting .COM and .EXE files, and differentiates between these two file formats using the file extension The virus seems to only handle upper-case extensions. Files were marked as infected by setting the time-stamp value equal to the date-stamp Daddy additionally deletes several anti-virus checksum databases: 'ANTI-VIR.DAT' (ThunderByte Anti-Virus), 'MSAV.CHK' (Microsoft Anti- Virus), 'CHKLIST.CPS' (Central-Point Anti-Virus) and 'CHKLIST.MS (Microsoft Anti-Virus). Daddy includes the text strings:

[Incest Daddy]
by Qark/VLAD


Original research by JPanic aka @JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License