Damnei is a .NET virus created by DiA. Much information on this virus has been lost.

Behavior

The source code for Damnei is contained as a resource in the binary. When executed, this resource is read and dropped to the disk and then the resource is executed. This temporary host will be deleted after termination.

Damnei searches for all .exe files in the current directory. It checks if each file is a .NET application and for an infection marker. If the file meats this criterea, it copies the files to [original filename].res, deletes the original file, and compiles the virus into the name of the victim file. After compilation, the virus adds its infection markerin the PE header. If there is any error, the temporary resource file is copied back, leaving the file uninfected.

Origin

Damnei was coded in Germany by DiA. Though the virus does not appear in any preserved versions of Ready Rangers Liberation Front magazine, DiA's .NET activities begin in 2006, making it a little easier to put a date on this virus. DiA began working in .NET and its languages like C# because he was getting bored with C++. DiA did publish an article on .NET infection in a 2006 issue of RRLF magazine.

Sources

DiA. Ready Rangers Liberation Front, Using the .NET runtime compiler for file infection. 2006