Desperado | |
---|---|
Type | File virus |
Creator | Dr White |
Date Discovered | 1993.11 |
Place of Origin | Malmö, Sweden |
Source Language | |
Platform | DOS |
File Type(s) | .com, .exe |
Infection Length | 2,403-2,418 bytes |
Reported Costs |
Desperado is a polymorphic DOS virus from Sweden.
Behavior
When Desperado is executed, it installs itself at the top of memory below the 640K DOS boundary. It takes up 6,144 bytes in memory.The virus first infects COMMAND.COM if that file has not already been infected.
While in memory, it infects .com and .exe when they are opened or executed. The virus will be appended to the end of the file. The body contains several text strings that are not visible since the virus is encrypted and polymorphic. These strings include "Dr White - Sweden 1993SWV" and "Desperado Virus - Written in Malmo…".
It avoids infecting files with the following strings in the file name, a measure to avoid antivirus products:
- SCAN
- CLEA
- VSHI
- TOOL
- MSAV
- CPAV
- VSAF
- F-PR
- VIRS
- TBAV
- TBSC
- TBCL
- TBUT
- -V
- UTSC
- UT
The virus may have problems functioning on versions of DOS that are 3.0 or below.
Variants
The virus only produced a few variants, all with the same functionality and mostly the same size as the original.
Origin
Most antivirus products began to detect the virus in February of 1994. A note allegedly from Dr White himself suggests he created it on or around November 1993.
Sources
Patricia Hoffman. Online VSUM, Desperado Virus.
Symantec, Desperado. 2007.02.13
Dr White. Note on Desperado. 1993.11