FANDOM


Virus.DOS.Abraxas, also known as Abraxas-5, is a dangerous file overwriting virus on DOS.

There are 7 variants in 3 versions, represented by the following:

  • Virus.DOS.Abraxas.1170
  • Virus.DOS.Abraxas.1214
  • Virus.DOS.Abraxas.1881

There are additional 2 variants which also belong to this family.

Behavior

This family of viruses uses file replacement overwriting technique to infect files, and they are not recoverable.

Abraxas.1170, 1171, 1200 and 1214

When the virus is run, the virus infects C:\DOS\DOSSHELL.COM, if no such file is found, the virus creates the file. The virus also overwrites an EXE executable in the current directory and copy this infected file to the parent directory for further spreading.

Abraxas.1214 infects C:\COMMAND.COM instead of DOSSHELL.COM.

The timestamp of the infected file will be the time of infection.

After an infection, the virus changes the current directory to one upper level.

Abraxas.1304

This is a memory resident variant. Due to some programming faults, the virus installs itself into memory without infecting any file after first run. It would infect files on second run and so on.

After an infection, the virus changes the current directory to one upper level, a copy of the infected EXE file also appears in the parent directory.

Abraxas.1881

This variant is slightly different to the others, see Brain.

Memory usage

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Abraxas.1170 Non-TSR
Abraxas.1171 Non-TSR
Abraxas.1200 (A and B) Non-TSR
Abraxas.1214 Non-TSR
Abraxas.1304 1,696
Abraxas.1881 ?

Payload

Abraxas.1170, 1171, 1200 and 1304

When an infected program is run, the virus plays an ascending scale from the system speaker, followed by displaying the following text in ASCII art:

ABRAXAS

For Abraxas.1200.b, the display of the ASCII art is corrupted.

For Abraxas.1304, due to some programming faults, the audible payload is not triggered on first run, but would display the ASCII art twice. On second run and so on, the virus would play the scale but no ASCII art will be displayed.

Abraxas.1214

This variant plays a tune which is similar to Burma and displays an indecent ASCII image.

Variants

This family has 9 variants in total:

  • Virus.DOS.Abraxas.1170
  • Virus.DOS.Abraxas.1171
  • Virus.DOS.Abraxas.1200 (A and B)
  • Virus.DOS.Abraxas.1214
  • Virus.DOS.Abraxas.1304
  • Virus.DOS.Abraxas.1881
  • Virus.DOS.Abraxas.Cleton (2 variants)

Also, there are more than 20 viruses have appeared which have clearly been produced with the PS-MPC:

Other details

Abraxas was created with the PS-MPC virus creation tool, which can be used to create similar, easily detected viruses, which are usually encrypted as well.

The name "Abraxas" was used for a virus in the game Evolution.

Abraxas.1881 has been identified as Brain by some antiviruses.

Abraxas.1170, 1171, 1200 and 1304 contain the internal text strings:

*.exe
c:\dos\dosshell.com
..
MS-DOS (c)1992
->>ABRAXAS-5<<--
...For he is not of this day
...Nor he of this mind

Abraxas.1214 contains the internal text strings:

*.exe
c:\command.com
..
Darkest Avenger
Isnt dedicated to Sara Gordon
Its dedicated to her GROOVE!

Abraxas.1881 contains the internal text strings:

*.exe
*.com
..

References

  1. List of variants of the Abraxas virus on VX Heaven

See also

Videos

Virus.DOS.Abraxas00:00

Virus.DOS.Abraxas.1171

Virus.DOS.Abraxas.1171

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.