|Place of Origin||Moscow, Russia|
When Dammit is executed, it loads itself into memory. When an .exe file is loaded, Dammit infects it, appending its code to the file. It avoids files with the following strings in their names:
In addition to avoiding these files, the virus has a few techniques to avoid detection. It removes the antivirus VxD drivers of AVP and Spider antivirus. It also avoids being found in Microsoft's Soft-Ice debugger.
The following text can be found in the virus body:
DAMMiT by ULTRAS [MATRiX] (c) 2000
On the first of every month, it hides all icons on the desktop, adding the value "1" to the key "HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer No Desktop"
There are several variants of Dammit. In addition to another 1,537 byte variant, there are also two 1,647 byte variants definitely created by Ultras. Three others are similar to Dammit, but do not have any indication of where they come from. They are 1,624, 1,628 and 1,796 bytes long.
Ultras. Matrix Zine Issue 2, Dammit Source Code. 2000
T-2000. Coderz zine #2, Interview with Ultras. 2001