Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Dark Paranoid

This is, in a sense, another revolution in the technology of viruses. The reason is that the virus is fully polymorphic in memory. It is a parasitic, resident, polymorphic COM and EXE infector. Final code length being added to files is about 6 kilobytes. On COM files the virus writes itself to the beginning and moved the original contents backwards, EXE files are infected in common way. The virus is polymorphic also in memory and that is why it cannot be found there by means of a sample. At any instant the Dark Paranoid virus has only one instruction decoded. After the instruction is executed the interrupt INT 01 is called, service routine of the interrupt encrypts the instruction and decodes the next one. That instruction is executed and the whole process is repeated again. The complete virus activity is fittingly described in the string “ENGINE OF ETERNAL ENCRYPTION” located in the encrypted virus body. The routine for INT 01 service is slightly different at each installation of the virus in memory. The virus avoids files with names beginning with strings AV, SC, CL, GU, NO, FV, TO and TB (because that might be known anti-virus programs). It cunningly avoids also files having a sequence of characters in alphabetic order in their names; it obviously does not want to infect “baits” set by anti-virus researchers. The virus displays itself by the following text string:

DaRK PARaNOiD

and by the monitor oscillation.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.