Virus.DOS.CMOSDead is an extremely dangerous memory resident encrypted virus on DOS.

There are 5 variants having 2 different aliases:

  • Virus.DOS.CMOSDead.4792
  • Virus.DOS.CMOSDead.5154
  • Virus.DOS.ILoveDos.3618
  • Virus.DOS.ILoveDos.3622
  • Virus.DOS.ILoveDos.3710


When the virus is loaded into memory, it hooks INT 21h to infect any executable that is run by writing itself to the end of the file. The virus does not infect files that are smaller than or equal to 4,000 bytes.

On infection, the virus places the first 32 bytes of the original code to the end of the viral code, and places its own code into there. It also places the value of offset of the viral code (or the original size of the host) at the end of the file, having a size of 4 bytes.

For example, the size of the host is 10,000 (or 2710h) bytes, then the data of these bytes would be:

10 27 00 00

The virus behaves stealthily so that there is no observable file size increase on infected programs. The user will unable to find the infection code within the file even using "type" to show contents, if the user attempts to copy an infected file, the virus disinfects the new one before placing it to the new distinction, but still detectable by comparing the checksums.

CMOSDead.4792 and 5154

These variants search and infect an uninfected COMMAND.COM when an infected program is run, and the system may fail to recognize the infected COMMAND on next start due to the modification of the file head.

ILoveDos.3618, 3622 and 3710

These variants may change the year value of the timestamp on infection if the file is last modified after 2000.

For files having the timestamp ranging from 2000 to 2007, the virus modify it to 1999 on infection. However on file listing, their timestamp remains unchanged as long as the virus stays memory resident.

For those having the timestamp on or after 2008, the virus would modify it by rolling back 28 years on infection, but it would be unable to hide its infection size from these files.

Here is an example for better understanding, using ILoveDos.3618.

Before infection:

FILE1.COM        5,000  2-1-1997
FILE2.COM        5,000  2-1-2001
FILE3.COM        5,000  2-1-2006
FILE4.COM        5,000  2-1-2008
FILE5.COM        5,000  2-1-2010

After infection (virus not in memory):

FILE1.COM        8,618  2-1-1997
FILE2.COM        8,618  2-1-1999
FILE3.COM        8,618  2-1-1999
FILE4.COM        8,618  2-1-1980
FILE5.COM        8,618  2-1-1982

After infection (virus stays in memory):

FILE1.COM        5,000  2-1-1997
FILE2.COM        5,000  2-1-2001
FILE3.COM        5,000  2-1-2006
FILE4.COM        8,618  2-1-1980
FILE5.COM        8,618  2-1-1982

Advanced details

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
CMOSDead.4792 5,072
CMOSDead.5154 5,440

MD5 hash:

Variant Hash
CMOSDead.4792 1924ea4f30b798a4ca0c6aeb42ac2585
CMOSDead.5154 8fcf447c5614fc9843b39dfadd5db27c


The virus contains two payloads.


ILoveDos variants do not feature this payload.

If the user tries to debug an infected file by running it (command P), after a number of processes it clears the screen and displays the following at the center of the screen:


It also hangs the system, and disables the keyboard input.

Data corruption

Depend on the system date, the virus activates by random.

When activated, it displays a flashing ASCII art of words, "CMOS" at the top of the screen and "DEAD" at the bottom of the screen in red. A phrase is also displayed at the center, with random frequency of beeps. While running this payload on processor speeds contemporary with the time the virus was coded results in a fairly standard series of beeps, running it at faster process speeds results in the sound being 'replaced' with that of an unusual and frightening noise which has been described as 'screeching' or 'shrieking' in tone.

CMOSDead.4792 displays the following:


CMOSDead.5154 displays the following:

Your computer will be need a psychiatrist...

During this visually frightening payload, the virus corrupts the data in CMOS; the user must have to set them again on next boot.

After the payload has been triggered, when the user attempts to restart the computer by pressing CTRL-ALT-DEL, the virus would also format the hard drive.

Other details

The audible output of the payload has no delay parameter set, so the beeping speed depends on the CPU clock rate. When the payload of the virus is being run on a slow computer, it will show its "true sound" it was meant for, but on an overclocked environment of DOS such as Virtual PC, the payload would become extremely loud, so it is recommended to lower the system volume before testing the sample if attempting on a faster computer.

The virus contains the encrypted internal text strings:

I love MS-DOS !


  1. List of variants of the CMOSDead virus on VX Heaven
  2. List of variants of the ILoveDos virus on VX Heaven


CMOSDead DOS Virus

CMOSDead DOS Virus

CMOSDead virus review by danooct1



CMOSDead virus review by Alles Sandro