Fandom

Malware Wiki

5lo

1,328pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.5lo.1024 is a memory resident parasitic DOS virus.

BehaviorEdit

When the virus is loaded into memory, it first infects 3 first uninfected EXE executable files, followed by hooking INT 21h to infect other files. When the user runs a file, the virus infects first 2 uninfected files, so that the file that the user just run might not be infected. The timestamp of the infected files will be changed to the time of infection.

Not every file would be infected by the virus, and the infection size varies between files.

After these infections, a counter within the virus starts. However, this counter is never checked, so the virus will not activate.

The virus ties itself to the operating system during installation so that it cannot be discovered by running MEM, but the total free system memory will decrease by about 2K.

During infection, the virus also changes the field 0Ch in the MZ header to FFAAh. The virus identifies itself from memory by using the interrupt INT 21, AX=3521h which it has hooked. All the checks work correctly and the virus won't infect files multiple times and it installs itself to memory only once.

Memory usage Edit

The exact memory usage is 2,064 bytes.

Other detailsEdit

The virus contains the internal text strings:

92.05.24.5lo.2.23MZ
????????EXE

Additionally, it also contains the filename of the infected file.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.