There are 5 variants having 2 different alias:
When the virus is loaded into memory, it hooks INT 21h to infect any executable that is run by writing itself to the end of the file. The virus does not infect files that are smaller than or equal to 4,000 bytes.
On infection, the virus places the first 32 bytes of the original code to the end of the viral code, and places its own code into there. It also places the value of offset of the viral code (or the original size of the host) at the end of the file, having a size of 4 bytes.
For example, the size of the host is 10,000 bytes, or 2710h bytes, then the data of these 4 bytes would be:
10 27 00 00
The virus behaves stealthy so that there is no observable file size increase on infected programs. The user will unable to find the infection code within the file even using "type" to show contents, if the user attempts to copy an infected file, the virus disinfects the new one before placing it to the new distinction, but still detectable by comparing the checksums.
CMOSDead.4792 and 5154Edit
These variants search and infect an uninfected COMMAND.COM when an infected program is run, and the system may fail to recognize the infected COMMAND on next start.
ILoveDos.3618, 3622 and 3710Edit
These variants may change the year value of the timestamp on infection if the file is last modified after 2000.
For files having the timestamp ranging from 2000 to 2007, the virus modify it to 1999 on infection. However on file listing, their timestamp remains unchanged as long as the virus stays memory resident.
For those having the timestamp on or after 2008, the virus would modify it by rolling back 28 years on infection, but it would be unable to hide its infection size from these files.
Here is an example for better understanding, using ILoveDos.3618.
FILE1.COM 5,000 2-1-1997 FILE2.COM 5,000 2-1-2001 FILE3.COM 5,000 2-1-2006 FILE4.COM 5,000 2-1-2008 FILE5.COM 5,000 2-1-2010
After infection (virus not in memory):
FILE1.COM 8,618 2-1-1997 FILE2.COM 8,618 2-1-1999 FILE3.COM 8,618 2-1-1999 FILE4.COM 8,618 2-1-1980 FILE5.COM 8,618 2-1-1982
After infection (virus stays in memory):
FILE1.COM 5,000 2-1-1997 FILE2.COM 5,000 2-1-2001 FILE3.COM 5,000 2-1-2006 FILE4.COM 8,618 2-1-1980 FILE5.COM 8,618 2-1-1982
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
The virus contains two payloads.
ILoveDos variants do not feature this payload.
If the user tries to debug an infected file by running it (command P), after a number of processes it clears the screen and displays the following at the center of the screen:
BE CAREFUL !
It also hangs the system, and disables the keyboard input.
Depend on the system date, the virus activates by random.
When activated, it displays a flashing ASCII art of words, "CMOS" at the top of the screen and "DEAD" at the bottom of the screen in red. A phrase is also displayed at the center, with random frequency of beeps. This flashing sequence can cause seizures to people who have epilepsy.
CMOSDead.4792 displays the following:
GRISOFT(c) SOFTWARE 1989,96
CMOSDead.5154 displays the following:
Your computer will be need a psychiatrist...
During this visually frightening payload, the virus corrupts the data in CMOS; the user must have to set them again on next boot.
After the payload has been triggered, when the user attempts to restart the computer by pressing CTRL-ALT-DEL, the virus would also format the hard drive.
The audible output of the payload has no delay parameter set, so the beeping speed depends on the CPU clock rate. When the payload of the virus is being run on a slow computer, it will show its "true sound" it was meant for, but on an overclocked environment of DOS such as Virtual PC, the payload would become extremely loud, so it is recommended to lower the system volume before testing the sample if attempting on a faster computer.
The virus contains the encrypted internal text strings:
IOSYS COMSPEC= EXECOM I love MS-DOS !