There are 7 variants in 4 different versions:
- Virus.DOS.Christmas.1539 (A, B and C)
When the virus is run, it infects a DOS executable file by random, up to 8 files in current directory.
This variant infects both DOS and EXE formats. Before infecting the file that is run, the virus displays the character "#", followed by hanging the system.
There are 3 variants in this group.
These are dangerous non-memory resident encrypted variants. When the virus is run, it infects first 2 uninfected DOS executable files by writing itself to the beginning of the files, while it bypasses subdirectories pointed in the PATH command. The virus also ignores the files:
This variant infects any EXE executable that is run.
This variant activates on December 25th. It displays the message:
A merry christmas to you!
From the 23rd of every month, this variant plays a tune of Russian Christmas.
On April 1st, it writes a trojan program into the MBR of the hard disk and into the Boot-sectors of floppies. Upon reboot, this routine displays the following text:
April, April ...
From the 24th to the 31st of December, it displays an ASCII Christmas tree (see screenshot above) and a message:
Und er lebt doch noch : Der Tannenbaum ! Frohe Weihnachten ...
Translation (from German):
And he's still alive: the Christmas tree! Merry Christmas...
From December 24th till the 26th, it also hooks INT 8 (timer), and then displays the following message and plays a tune of "Silent Night":
Merry Christmas and happy new year ! Written from Tamsui Oxford college.
Christmas.600 contains the internal text string:
Christmas.1539 (A, B and C) contain the internal text strings:
01234567890123456789012345678901234567890123456789012345678 C:\JEZYKIC:\PCD:\UC:\*.COM PATH=IBMBIO.COM IBMDOS.COM ????????COM COMMAND.COM C:\COMMAND.COM .COM OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!
Christmas.1694 contains the internal text strings:
A:\516.EXE EXE P.EXE
- Index of Christmas on VX Heaven