Virus.Win9x.Darkmil.4639

tag:Executable File and Boot Viruses

0 0

This text was written by Adrian Marinescu, GeCAD software

This is a dangerous polymorphic memory resident Windows9x specific virus. It will not spread itself under any operating systems other than Windows95 and Windows98 due to the mechanisms used for replication. The memory installation part is a slight variation of the method used by the infamous Win95.CIH - Darkmil patches the IDT to point to it's own code than executes an interrupt which will run the virus code under the Ring0 privilege level.

When executing an infected file, Darkmil will receive control, decrypt itself then check if there's already another copy of it in memory. If not, it will install itself in the VxD drivers area, hook the IFS API calls then give the control back to the host program. Due to the hooked IFS, the virus code will receive control each time a file I/O operation is requested to the IFS Manager. The virus will filter OPEN/RENAME and FILEATTRIB functions. When such service is called, it will check if the extension of the file is .EXE or .SCR and infect them. Also, the virus checks for .BMP and .GIF files - if such files are opened the virus will call one of it's payloads.

The infection mechanism is simple but efficient - Darkmil will enlarge the last section to hold the entire virus body and the decryptor code, write it's code in there and then patch the file entrypoint to load the virus code first.

After 200 infected files the virus will display a Blue Message Box with the following text:

 DarkMillennium Project

 Copyright (C) 1999 by Clau/Ultimate Chaos
 www.ultimatechaos.org
 Greets to all VXers out there !

Using it's own random number generator Darkmil will choose a number between 1 and 10000. If this number is less than 500 Darkmil will attempt to change the RTC date from CMOS memory to 1-1-1980.

When a .BMP or .GIF image file is opened and Darkmil is memory resident, it will attempt modify the file to reduce the RGB colors inside an image with 5 levels, resulting in a darker image. However this part is very buggy and often generates Windows error messages.

The following strings are included in the virus body, but not used in any way:

 DarkMillennium Project
 Copyright (C) 1999 by Clau/Ultimate Chaos

previous:Virus.Win9x.Companion.4096
previous:Virus.Win9x.Dodo.1022

Virus Source from:

New articles

Virus.Win32.Chop.3808 It is not a dangerous nonmemory resident parasitic polymorphic Win32 virus. It searches for PE EXE files in the current directory, then writes itself to the en...Virus.Win32.Crypto This text was written with the help of Adrian Marinescu, GeCAD Software.This is a very dangerous memory resident parasitic polymorphic Win32 virus about 20K i...Virus.Win32.Delf.k This file virus replaces .exe files with its own body.The virus itself is a Windows PE EXE file 18944 bytes in size, written in Delphi. Payload...Virus.Win32.Devir This is a per-process memory resident parasitic poly-morphic Win32-virus. The virus infects PE EXE files that have .EXE filename extensions. When run, the viru...Virus.Win32.Ditex.aDitex is a memory resident parasitic Win32 virus. It is written in Microsoft Visual C and is about 33KB in size. The virus infects PE EXE files that have .EX...

Hot Articles

Virus.Win9x.Darkmil.4639

Computer Virus Clounds