Dammit is a Windows 9x file virus coded in Russia by Ultras. It appeared in the 2nd issue of the Matrix magazine.

Behavior

When Dammit is executed, it loads itself into memory. When an .exe file is loaded, Dammit infects it, appending its code to the file. It avoids files with the following strings in their names:

• AVP
• _AVP
• NAV
• TB
• F-
• WEB
• PAV
• GUARDDOG
• DRW
• SPIDER
• DSAV
• NOD
• MTX
• MATRIX
• WINICE
• FDISK
• SCAN
• DEFRAG

In addition to avoiding these files, the virus has a few techniques to avoid detection. It removes the antivirus VxD drivers of AVP and Spider antivirus. It also avoids being found in Microsoft's Soft-Ice debugger.

The following text can be found in the virus body:

DAMMiT by ULTRAS [MATRiX]
(c) 2000

On the first of every month, it hides all icons on the desktop, adding the value "1" to the key "HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer No Desktop"

Variants

There are several variants of Dammit. In addition to another 1,537 byte variant, there are also two 1,647 byte variants definitely created by Ultras. Three others are similar to Dammit, but do not have any indication of where they come from. They are 1,624, 1,628 and 1,796 bytes long.

Sources

Ultras. Matrix Zine Issue 2, Dammit Source Code. 2000

Marc Sison https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/pe_dammit.1537

T-2000. Coderz zine #2, Interview with Ultras. 2001