minimal-minimal

Darth Vader

Darth Vader

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: File Infector
  • Protection Added: 1991-05-15

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5400.1158

File Length

200-345 Bytes

Description Added

1991-05-15

Description Modified

1991-05-15

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee
Darth Vader is an overwriting, memory resident, file infecting virus. It infects .COM files. Darth Vader is part of a family of four viruses which are very similar.

Upon infection, Darth Vader becomes memory resident. Later, as .COM files are copied, the target .COM file may become infected.

Darth Vader viruses do not perform any malicious damage, though infected files are usually damaged and do not execute properly.

Additional Comments:
The Darth Vader viruses were received in May, 1991 from Bulgaria. Darth Vader is actually a family of four viruses which are very similar. All of these viruses are memory resident overwriting viruses which only infect .COM programs when they are copied. When a program infected with a Darth Vader virus is executed, Darth Vader will install itself memory resident. Latter, as .COM programs are copied, the target .COM program may become infected. Depending on the particular Darth Vader virus, the target program may have either the beginning of the program overwritten, or an area of hex 00 characters overwritten by the virus. There will be no increase in file size in the disk directory, and the program's date and time will not be altered. Darth Vader viruses do not perform any malicious damage, though infected programs are usually damaged and will not execute properly. Known variant(s) of Dark Avenger are:

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.
Depending on the particular Darth Vader virus, the target file may have either the beginning of the file overwritten, or an area of hex 00 characters overwritten by the virus. There is no increase in file size in the disk directory, and the file's date and time are not altered.