Virus.DOS.Bomber

Detect Date 01/11/2002
Class Virus
Platform DOS
Description

Technical Details


It’s a harmless memory resident polymorphic virus. It hooks INT 21h
and infects COM-file except COMMAND.COM on their running. It contains the
internal text messages “COMMANDER BOMBER WAS HERE” and “[DAME]”.


The characteristic feature of this infector consist of a new polymorphic
algorithm. Upon infection the virus reads 4096 bytes from the random
selected offset and writes this code at the and of the file. Then it writes
into this ‘hole’ its code and starts to polymorphism. This virus
contains several subroutines which generate the random (but
successfully executed!) code. TRhe virus inserts those parts of random code
into the random chosen position into the host file. About 90% of
all the i8086 instructions are present in those parts. The part of code
takes the control from the previous part by JMP, CALL, RET, RET xxxx
instructions. The first part is inserted into the file beginning and jumps
to next part, the next part jumps the third etc. The last part returns
control to the main virus body. At the end the infected file looks like at
‘spots’ of inserted code.