FANDOM


Virus.DOS.Accept is a very dangerous memory resident parasitic encrypted virus on DOS.

There are 2 variants:

  • Virus.DOS.Accept.3619
  • Virus.DOS.Accept.3773

Behavior

When the virus is loaded into memory, it infects first 4 uninfected executable in both DOS and EXE formats, i.e. 8 files, followed by hooking INT 21h and 7Eh to infect any executable that is run, plus 3 extra files, i.e. the virus infects 4 files on every run.

If the file to be run has been already infected, the virus searches for other 4 uninfected files in same format to infect.

Both variants check and ignore files having any of the names below:

COMMAND SCAN CLEAN NAV CPAV BOOTSAFE

Accept.3619

This variant also ignores files having the filename:

VSHIELD

Accept.3773

This variant also ignores files having any of the filenames:

VSAFE MAVGUARD SHVGUARD VIRTEST VCARE DAILY DISKPART

Advanced details

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Accept.3619 8,224
Accept.3773 8,384

MD5 hash:

Variant Hash
Accept.3619 46722dd264b46e5a005d381703c30c42
Accept.3773 51853407faa32bd185777ae06f4ae74b

Payload

Both variants activate on March 28th and December 20th.

When an infected program is run on any of these days, the virus corrupts the disk sectors and crash the system.

Other details

Both variants contain the encrypted internal text strings:

*.COM
*.EXE
747
ME PERDI A ACCEPT, SOY UN PELOTUDO

Accept.3619 also contains the encrypted internal text strings:

COMMANDSCANCLEANVSHIELDNAVCPAVBOOTSAFE

Accept.3773 also contains the encrypted internal text strings:

COMMANDSCANCLEANNAVCPAVBOOTSAFEVSAFEIBMAVSHVGUARDVIRTESTVCAREDAILYDISKPART

References

  1. List of variants of the Accept virus on VX Heaven