Diamond | |
---|---|
Type | File virus |
Creator | Dark Avenger |
Date Discovered | 1989 |
Place of Origin | Bulgaria |
Source Language | Assembly |
Platform | DOS |
Infection Length | 1,024 bytes |
Reported Costs |
Diamond is a virus from Bulgaria believed to have been coded by Dark Avenger. It shares many similarities between Eddie, the first work of Dark Avenger as well as Murphy, another virus from the same country. It may also be related to a family of Soviet viruses named Alfa.
Table of Contents
|
Behavior
When a program infected with Diamond is executed, the virus installs itself in memory, taking up 1,072 bytes. It checks for any programs monitoring interrupts 1 or 3, and if it finds them, it will cause any subsequent program run to hang the system and the virus will not replicate. Assuming no programs are monitoring those interrupts, the virus will append itself to any program as it is run and if it is less than 1,024 bytes. It avoids COMMAND.COM.
The virus contains a text string that makes it easy to identify and looks a bit like a phone number: "7106286813".
Variants
Diamond has many variants that are not significantly different from the original. A few have a malicious payload. The Sathanyk and David variants of the Murphy are sometimes considered to also be variants of Diamond.
The second variant (Diamond.1024.B) avoids certain antivirus products.
Rock Steady
This variant is 666 bytes long, also known as "Rocko", and can be identified with the text "Rock Steady". It was first discovered in Montreal, Canada. If it is the 13th of any month, it will not become memory resident. It instead formats the first 1 to 10 sectors of the first hard drive. It then overwrites the first 32 sectors of drive C: with garbage, then reboots the machine.
When infecting a file, Rock Steady checks if it is less than 666 bytes (for any file) or over 64,358 bytes (for .com files only). The virus checks if the file begins with the letters "MZ" or "ZM" (indicating an .exe file) then rearranging any with "ZM" to "MZ". It sets the seconds value to 60 and subtracts its length of 666 bytes from the size of the infected file.
David
David, sometimes referred to as the "Ah" virus, is 1,173 bytes long. It is believed to come from Italy and was first discovered in May of 1991. Its one sub-variant was discovered in October of 1992. The first variant appears to be unable to infect .exe files, but the sub-variant fixes this issue. This variant causes frequent system hangs when executed from a .com file and it does not avoid COMMAND.COM. It displays a bouncing PingPong-style ball. If an infected .exe file is run on a Tuesday, it will try to format the drives. This variant also contains some text:
(C) David Grant Virus Research 1991 PCVRF Disribuite this virus
freely!!!...ah...John...Fuck You!
It contains many similarities to the Murphy virus and some products describe it as a variant of Murphy and not Diamond.
Damage
Damage is a 1,063 byte variant with a 1,110 byte sub-variant. It is also from Italy and was probably coded by the same person as David. The first was also discovered in May of 1991. This one also infects COMMAND.COM. It will only infect files over 1,000 bytes. When the system time is 14:59:53, it will display a multi-color diamond that splits up into smaller diamonds, moving around the screen and cleaning characters off. It also may format a section of the hard drive. Damage can be identified with the text "DAMAGE" in the virus body. Its variant contains the text "Jump for joy!!!".
Lucifer
Lucifer is yet another variant originating in Italy appearing in May 1991. It infects files that are over 2 kilobytes long, including COMMAND.COM. It is 1,086 bytes long. It gets its name from text contained in the virus body, "Lucifer (C) by C.J.". If the time stamp of the target file was 12:00AM before the infection, it will disappear altogether after infection.
Greemlin
Greemlin is 1,146 bytes long and gets its name from the "greemlin" text in its body. Its place of origin is uncertain, but it also appeared in May of 1991. Like most other variants, it doesn't avoid COMMAND.COM like the original. This variant will slow the system speed down by about 10%. On the 14th of July of any year, it overwrites some sectors of drives A:, B:, and C:.
Other Variants
The 444 and 465 byte variants both contain the number "9090909090" in the place of "7106286813". These two, along with the 485, 584 and 594 byte variants are known to not check if they have already infected a file, and therefore reinfect some files. Variants of 620 bytes and smaller cause an "EXEC failure" when it tries to infect files.
Origin
Diamond is almost certainly from Bulgaria and source codes indicate an early variant was completed in summer of 1989. It is definitely in the style of a Dark Avenger virus, though it is not totally certain if it does come from Dark Avenger himself.
Other Facts
The number contained in some of the virus bodies, "7106286813" looks like a North American phone number. The first three digits, "710", would be an area code that was actually not tied to a specific area, but reserved for special purposes. It is unknown what this number means, whether or not it has any relation, and the area code in question has only one number associated with it, which is not the one contained in the virus.
Sources
F-Secure Antivirus. Threat Description, Diamond.
Patricia Hoffman. Online VSUM, V1024 Virus.
-. -, Diamond Virus.
-. -, Ah Virus.
-. -, Rocko Virus.
-. -, Damage Virus.
-. -, Lucifer Virus.
-. -, Gremlin Virus.
Diamond Source Code