Desperado
Desperado
Type File virus
Creator Dr White
Date Discovered 1993.11
Place of Origin Malmö, Sweden
Source Language
Platform DOS
File Type(s) .com, .exe
Infection Length 2,403-2,418 bytes
Reported Costs

Desperado is a polymorphic DOS virus from Sweden.

Behavior

When Desperado is executed, it installs itself at the top of memory below the 640K DOS boundary. It takes up 6,144 bytes in memory.The virus first infects COMMAND.COM if that file has not already been infected.

While in memory, it infects .com and .exe when they are opened or executed. The virus will be appended to the end of the file. The body contains several text strings that are not visible since the virus is encrypted and polymorphic. These strings include "Dr White - Sweden 1993SWV" and "Desperado Virus - Written in Malmo…".

It avoids infecting files with the following strings in the file name, a measure to avoid antivirus products:

  • SCAN
  • CLEA
  • VSHI
  • TOOL
  • MSAV
  • CPAV
  • VSAF
  • F-PR
  • VIRS
  • TBAV
  • TBSC
  • TBCL
  • TBUT
  • -V
  • UTSC
  • UT

The virus may have problems functioning on versions of DOS that are 3.0 or below.

Variants

The virus only produced a few variants, all with the same functionality and mostly the same size as the original.

Origin

Most antivirus products began to detect the virus in February of 1994. A note allegedly from Dr White himself suggests he created it on or around November 1993.

Sources

Patricia Hoffman. Online VSUM, Desperado Virus.

Symantec, Desperado. 2007.02.13

Dr White. Note on Desperado. 1993.11

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License