Type File virus
Creator Benny
Date Discovered 2001.09.15
Place of Origin Brno, Czech Republic
Source Language Assembly
Platform MS Windows
File Type(s) .exe
Infection Length 8,192 bytes

DOB is a Windows virus coded by Benny of the group 29A. It contains some code specifically designed to work with Windows 2000.

Table of Contents


When DOB is executed, it creates a separate thread for itself. This thread infects all active processes. It checks for the process WINLOGON.EXE and if it finds it, overwrites itself to the file SFC.DLL, disabling System File Protection.

If it does not find the WINLOGON.EXE process, it hooks the API's CloseHandle and CreateFileW. When a program is opened with the CreateFileW call, the virus will disinfect the program by overwriting the viral code with zeros, then passes execution on to the API and the host. When a call is made to CloseHandle (the executable file closes) the virus reinfects the file. This method does not always work because the virus does not work around file access permissions.

DOB overwrites the relocation section of target files. It avoids files with less than 12,835 Bytes of raw data in the relocation section.

The virus body contains the text strings "[Win2k.DOB], multi-process stealth project by Benny/29A".

DOB uses anti-debugging features, employing CRC32 integrity checking the start of execution. This prevents any of the code running if a breakpoint is used.


DOB was coded by Benny of 29A and completed by the end of summer in 2001. It was featured in issue 6 of 29A Magazine. This virus contained some features Benny wanted to use in Vulcano, but saved for later.


Benny. 29A Magazine, Issue 6, Win2k.DOB.

Trend Micro Antivirus, PE_DONNY.A.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License