PE_DAMMIT.1537

Malware type: File infector

Aliases: Virus.Win32.Damm.1537.a (Kaspersky), W95/Damm.gen (McAfee), W95.Dammit.Gen (Symantec), W95/Damn-1537.B (Avira), W98/Dammit-1537 (Sophos), Virus:Win95/Damm.1537 (Microsoft)

In the wild: Yes

Destructive: No

Language: Unknown

Platform: Windows 95, 98, NT

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Low

Description: 

This file infector appends its code in .EXE files when they are opened.

It avoids infecting files that starts with any of the following text strings:

  • _AVP
  • AVP
  • DEFRAG
  • DRW
  • DSAV
  • F-
  • FDISK
  • GUARDDOG
  • MATRIX
  • MTX
  • NAV
  • NOD
  • PAV
  • SCAN
  • SPIDER
  • TB
  • WEB
  • WINICE

During the first of every month, it hides the infected systems desktop icons by creating an entry in the system's registry.

For additional information about this threat, see:

Description created: Nov. 6, 2000 12:16:12 PM GMT -0800
Description updated: Jun. 19, 2005 2:00:05 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 1,537 Bytes

Ports used: None

Initial samples received on: Jun 20, 2005

Details:

This RING 0 memory-resident file infector appends malicious code to .EXE files when they are opened.

It avoids infecting files that starts with any of the following text strings:

  • _AVP
  • AVP
  • DEFRAG
  • DRW
  • DSAV
  • F-
  • FDISK
  • GUARDDOG
  • MATRIX
  • MTX
  • NAV
  • NOD
  • PAV
  • SCAN
  • SPIDER
  • TB
  • WEB
  • WINICE

During the first of every month, it hides the infected system�s desktop icons by creating the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer No Desktop = �1�

Analysis By: Marc Sison


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.695.00

Pattern release date: Jun 19, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Editing the Registry

This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0

Restoring Modified Registry Entries

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:

  3. HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>Explorer
  4. In the right panel, locate and delete the entry :

  5. No Desktop = 1
  6. Close Registry Editor.

Running Trend Micro Antivirus

Systems infected with this malware can be cleaned by simply scanning for and cleaning files detected as PE_DAMMIT.1537. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.