A tunneling virus is any virus that gets installed before an antivirus can detect it. It executes without alerting the sensors of the operating system (OS) to avoid antivirus detection.

A tunneling virus disables a computer’s interception programs. While some antivirus solutions can detect the malicious code, they can’t stop this type of virus from getting installed. More advanced antivirus programs that employ tunneling strategies may be the only ones capable of detecting and preventing the execution of a tunneling virus.

You can compare a tunneling virus to thieves entering an establishment via the sewer system, so they don’t have to deal with alarms.

Other interesting terms…

Read More about a “Tunneling Virus

Viruses usually employ tunneling strategies to find a way around antivirus solutions. Many launch in the basic input/output system (BIOS) that runs even before the OS. That results in an ongoing battle between the tunneling virus and the antivirus solution that ultimately crashes the OS. 

What Are Some of the Most Notable Tunneling Viruses?

We have seen tons of tunneling viruses over the years. We listed down three of the most popular below.

Eddie Virus

Eddie is a memory-resident (stays in the system and runs continuously) tunneling virus that originated from Bulgaria. It was created by Dark Avenger and spread havoc from the late 1980s to the 1990s. That’s why Eddie is also known as “Dark Avenger virus” or “Dark_Avenger.1800.A.”

Eddie is one of the first viruses from Bulgaria that spread far and wide, reaching users in the U.S., West Germany, and Russia. It is never idle as it remains in the background and awaits commands. It commonly infects .exe and .com files.

Dark Avenger made two additional variants of Eddie, namely:

  • Eddie.V2000: This variant contained the text string “Copy me – I want to travel” and “(c) 1989 by Vesselin Bontchev.”
  • Eddie.V2100: This variant, meanwhile, had the strings “Eddie lives,” “(c) 1990 by Vesselin Bontchev,” and “Eddie.”

Frodo Virus

The most advanced memory-resident tunneling virus is probably the Frodo virus. It can evade detection efficiently. It spreads to .exe and .com files, turning them memory-resident as well for 100 years. It also has the potential to corrupt other files.

Users of infected systems can see how many of their files are Frodo-infected by looking at the directory. And should they decide to reboot, they’ll see “FRODO LIVES!” on their screens.

Bulgarian Yankee_Doodle Virus

The Bulgarian Yankee_Doodle virus, like Eddie, originated from Bulgaria. It was created by TP, the same person behind the Vacsina virus. As such, it has similarities with Vacsina. Some even consider it a Vacsina variant, which causes infected systems to give off a beeping tone.

When the Bulgarian Yankee_Doodle virus is executed, it plays “Yankee Doodle” every day at 17:00. That’s why it also came to be known as the “five o’clock virus” and “TP44VIR.”


Tunneling viruses can be disruptive. But updating your antivirus solution to a version with its own tunneling capability can easily mitigate their effects.