Daddy is a memory resident infector of MS-DOS .COM and .EXE files, including command.com. Daddy's features include encryption targeted against certain anti-virus products, deletion of anti-virus checksum databases and directory stealth. It is a member of Qark's "Incest family" that also includes Mummy, Sister and Brother.

Behavior

Daddy goes memory resident by reducing the size of MCB (Memory Control Block) of the host if this is the last MCB in the chain. Daddy then creates its own MCB with owner field set to 0x0008 - command.com and hooks the INT 21h vector directly. Daddy's decrypter plays a trick with the CPU prefetch to hamper debugging, as well as F-PROT anti-virus and TBCLEAN (generic disinfection utility included with Thunder-Byte Anti-Virus).

Daddy infects files when they are executed or opened, or when their dates or attributes are queried. Daddy also executes it directory size stealth on FCB findfirst/findnext calls. Daddy uses fairly standard algorithms when infecting .COM and .EXE files, and differentiates between these two file formats using the file extension The virus seems to only handle upper-case extensions. Files were marked as infected by setting the time-stamp value equal to the date-stamp Daddy additionally deletes several anti-virus checksum databases: 'ANTI-VIR.DAT' (ThunderByte Anti-Virus), 'MSAV.CHK' (Microsoft Anti- Virus), 'CHKLIST.CPS' (Central-Point Anti-Virus) and 'CHKLIST.MS (Microsoft Anti-Virus). Daddy includes the text strings:

[Incest Daddy]
by Qark/VLAD

Sources

Original research by JPanic aka @JPanicVX