Fandom

Malware Wiki

CMOSDead

1,345pages on
this wiki
Add New Page
Comments7 Share

Virus.DOS.CMOSDead is an extremely dangerous memory resident encrypted virus on DOS.

There are 5 variants having 2 different alias:

  • Virus.DOS.CMOSDead.4792
  • Virus.DOS.CMOSDead.5154
  • Virus.DOS.ILoveDos.3618
  • Virus.DOS.ILoveDos.3622
  • Virus.DOS.ILoveDos.3710

Behavior

When the virus is loaded into memory, it hooks INT 21h to infect any executable that is run by writing itself to the end of the file. The virus does not infect files that are smaller than or equal to 4,000 bytes.

On infection, the virus places the first 32 bytes of the original code to the end of the viral code, and places its own code into there. It also places the value of offset of the viral code (or the original size of the host) at the end of the file, having a size of 4 bytes.

For example, the size of the host is 10,000 (or 2710h) bytes, then the data of these bytes would be:

10 27 00 00

The virus behaves stealthy so that there is no observable file size increase on infected programs. The user will unable to find the infection code within the file even using "type" to show contents, if the user attempts to copy an infected file, the virus disinfects the new one before placing it to the new distinction, but still detectable by comparing the checksums.

CMOSDead.4792 and 5154

These variants search and infect an uninfected COMMAND.COM when an infected program is run, and the system may fail to recognize the infected COMMAND on next start due to the modification of the file head.

ILoveDos.3618, 3622 and 3710

These variants may change the year value of the timestamp on infection if the file is last modified after 2000.

For files having the timestamp ranging from 2000 to 2007, the virus modify it to 1999 on infection. However on file listing, their timestamp remains unchanged as long as the virus stays memory resident.

For those having the timestamp on or after 2008, the virus would modify it by rolling back 28 years on infection, but it would be unable to hide its infection size from these files.

Here is an example for better understanding, using ILoveDos.3618.

Before infection:

FILE1.COM        5,000  2-1-1997
FILE2.COM        5,000  2-1-2001
FILE3.COM        5,000  2-1-2006
FILE4.COM        5,000  2-1-2008
FILE5.COM        5,000  2-1-2010

After infection (virus not in memory):

FILE1.COM        8,618  2-1-1997
FILE2.COM        8,618  2-1-1999
FILE3.COM        8,618  2-1-1999
FILE4.COM        8,618  2-1-1980
FILE5.COM        8,618  2-1-1982

After infection (virus stays in memory):

FILE1.COM        5,000  2-1-1997
FILE2.COM        5,000  2-1-2001
FILE3.COM        5,000  2-1-2006
FILE4.COM        8,618  2-1-1980
FILE5.COM        8,618  2-1-1982

Memory usage

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
CMOSDead.4792 5,072
CMOSDead.5154 5,440

Payload

The virus contains two payloads.

Anti-debugging

ILoveDos variants do not feature this payload.

If the user tries to debug an infected file by running it (command P), after a number of processes it clears the screen and displays the following at the center of the screen:

BE CAREFUL !

It also hangs the system, and disables the keyboard input.

Data corruption

Depend on the system date, the virus activates by random.

When activated, it displays a flashing ASCII art of words, "CMOS" at the top of the screen and "DEAD" at the bottom of the screen in red. A phrase is also displayed at the center, with random frequency of beeps. This flashing sequence can cause seizures to people who have epilepsy.

CMOSDead.4792 displays the following:

GRISOFT(c) SOFTWARE 1989,96

CMOSDead.5154 displays the following:

Your computer will be need a psychiatrist...

During this visually frightening payload, the virus corrupts the data in CMOS; the user must have to set them again on next boot.

After the payload has been triggered, when the user attempts to restart the computer by pressing CTRL-ALT-DEL, the virus would also format the hard drive.

Other details

The audible output of the payload has no delay parameter set, so the beeping speed depends on the CPU clock rate. When the payload of the virus is being run on a slow computer, it will show its "true sound" it was meant for, but on an overclocked environment of DOS such as Virtual PC, the payload would become extremely loud, so it is recommended to lower the system volume before testing the sample if attempting on a faster computer.

The virus contains the encrypted internal text strings:

IOSYS
COMSPEC=
EXECOM
I love MS-DOS !

Videos

CMOSDead DOS Virus01:50

CMOSDead DOS Virus

CMOSDead virus review by danooct1

Virus.DOS03:29

Virus.DOS.CmosDead

CMOSDead virus review by Alles Sandro

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.