|Place of Origin||Brno, Czech Republic|
|Infection Length||8,192 bytes|
When DOB is executed, it creates a separate thread for itself. This thread infects all active processes. It checks for the process WINLOGON.EXE and if it finds it, overwrites itself to the file SFC.DLL, disabling System File Protection.
If it does not find the WINLOGON.EXE process, it hooks the API's CloseHandle and CreateFileW. When a program is opened with the CreateFileW call, the virus will disinfect the program by overwriting the viral code with zeros, then passes execution on to the API and the host. When a call is made to CloseHandle (the executable file closes) the virus reinfects the file. This method does not always work because the virus does not work around file access permissions.
DOB overwrites the relocation section of target files. It avoids files with less than 12,835 Bytes of raw data in the relocation section.
The virus body contains the text strings "[Win2k.DOB], multi-process stealth project by Benny/29A".
DOB uses anti-debugging features, employing CRC32 integrity checking the start of execution. This prevents any of the code running if a breakpoint is used.
DOB was coded by Benny of 29A and completed by the end of summer in 2001. It was featured in issue 6 of 29A Magazine. This virus contained some features Benny wanted to use in Vulcano, but saved for later.
Benny. 29A Magazine, Issue 6, Win2k.DOB.
Trend Micro Antivirus, PE_DONNY.A.