Bomber (computer virus)

Last updated
Bomber
AliasesCommander Bomber
Classification Virus
Type DOS
SubtypeFile and boot infector
Point of origin Bulgaria
Author(s)Unknown

Bomber (also known as Commander Bomber) is a DOS polymorphic memory resident computer virus, known for its technique of "patchy infection". This method of infection is very similar to that which is utilised by the OneHalf computer virus.

Contrary to the usual method of infecting executables (which is to append virus body to the executable and to change the entry point), it inserts several fragments ("patches") of its code in random places inside the file. These fragments transfer control to each other using various mechanisms.

The method of infection makes the detection of the virus difficult by anti-virus programs, and it means that they would have to scan the file in its entirety in order to detect the virus.

The size of the Bomber executable is approximately 4096 bytes and contains the following text:

                                                COMMANDER BOMBER WAS HERE                                                       [DAME] [DAME]


Related Research Articles

Computer worm Standalone malware computer program that replicates itself in order to spread to other computers

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on the law of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Malware Portmanteau for malicious software

Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. By contrast, software that causes unintentional harm due to some deficiency is typically described as a software bug. A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and scareware.

In computing, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact - that is, the code changes itself every time it runs, but the function of the code will not change at all. For example, 1+3 and 6-2 both achieve the same result while using different values and operations. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.

Antivirus software Computer software to defend against malicious computer viruses

Antivirus software, or antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

CIH (computer virus) Windows 9x computer virus

CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows 9x computer virus which was coded with the creators first intitial and first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives, and in some cases destroying the system BIOS. The virus was created by Chen Ing-hau who was a student at Tatung University in Taiwan. Sixty million computers were believed to be infected by the virus internationally, resulting in an estimated US$1 billion in commercial damages.

Abraxas, also known as Abraxas5, discovered in April 1993, is an encrypted, overwriting, file infecting computer virus which infects .COM and .EXE files, although it does not infect command.com. It does not become memory resident. Each time an infected file is executed, Abraxas infects the copy of dosshell.com located in the C:\DOS directory, as well as one EXE file in the current directory. Due to a bug in the virus, only the first EXE file in any directory is infected.

AIDS (computer virus) note

AIDS is a computer virus written in Turbo Pascal 3.01a which overwrites COM files. AIDS is the first virus known to exploit the MS-DOS "corresponding file" vulnerability. In MS-DOS, if both foo.com and foo.exe exist, then foo.com will always be executed first. Thus, by creating infected com files, AIDS code will always be executed before the intended exe code.

Win32/Simile is a metamorphic computer virus written in assembly language for Microsoft Windows. The virus was released in its most recent version in early March 2002. It was written by the virus writer "Mental Driller". Some of his previous viruses, such as Win95/Drill, have proved very challenging to detect.

ILOVEYOU, sometimes referred to as Love Bug or Love Letter for you, is a computer worm that infected over ten million Windows personal computers on and after 5 May 2000 when it started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs". The latter file extension, was most often hidden by default on Windows computers of the time, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. The worm inflicts damage on the local machine, overwriting random types of files, and sends a copy of itself to all addresses in the Windows Address Book used by Microsoft Outlook. This made it spread much faster than any other previous email worm.

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident, and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

nVIR is an obsolete computer virus which can replicate on Macintosh computers running any System version from 4.1 to OS 8. The source code to the original nVIR has been made widely available, and so numerous variants have arisen. Each variant causes somewhat different symptoms, such as: application crashes, printing errors on laser printers, slow system response time, or unpredictable system crashes. nVIR spreads through any nVIR-infected program, but due to the long period of time nVIR lies basically dormant in a host system, nVIR generally finds its way into system backups and is not detected until the first overt symptoms appear. For example, if a disk used in an infected Macintosh is removed and inserted in a second Macintosh, the other machine will become infected if any application on that disk is executed in the second machine. Further, any method used to transfer programs between Macintoshes will spread nVIR, including file transfer over a network. However, nVIR cannot spread via a print network's hardware.

Westwood is a computer virus, a variant of the Jerusalem family, discovered August 1990, in Westwood, Los Angeles, California. The virus was isolated by a UCLA engineering student who discovered it in a copy of the "speed.com" program distributed with a new motherboard. Viral infection was first indicated when an early version of Microsoft Word reported internal checksum failure and failed to run.

Alabama is a computer virus, discovered October 1989 on the campus of Hebrew University in Jerusalem.

Ontario is a family of computer virus, named after its point of isolation, the Canadian province of Ontario. This family of computer virus consists of Ontario.1024, Ontario.512 and Ontario.2048. The first variant Ontario.512 was discovered in July 1990. Because Ontario.1024 was also discovered in Ontario, it is likely that both viruses originate from within the province. By the Ontario.2048 variant, the author had adopted "Ontario" as the family's name and even included the name "Ontario-3" in the virus code.

OneHalf is a DOS-based polymorphic computer virus discovered in October 1994. It is also known as Slovak Bomber, Freelove or Explosion-II. It infects the master boot record (MBR) of the hard disk, and any files with extensions .COM, .SCR and .EXE. However, it will not infect files that have SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV or CHKDSK in the name.

CTX is a computer virus created in Spain in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries.


The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Heuristic analysis is a method employed by many computer antivirus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the "wild".

Computer virus Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.