Fandom

Malware Wiki

Christmas

1,345pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.Christmas is a memory resident parasitic virus on DOS.

This virus has 7 variants in 4 versions:

  • Virus.DOS.Christmas.600
  • Virus.DOS.Christmas.868
  • Virus.DOS.Christmas.1539 (A, B and C)
  • Virus.DOS.Christmas.1694

Behavior

Christmas.600

When the virus is run, it infects a DOS executable file by random, up to 8 files in current directory.

Christmas.868

This variant infects both DOS and EXE formats. Before infecting the file that is run, the virus displays the character "#", followed by hanging the system.

Christmas.1539

There are 3 variants in this group.

These are dangerous non-memory resident encrypted variants. When the virus is run, it infects first 2 uninfected DOS executable files by writing itself to the beginning of the files, while it bypasses subdirectories pointed in the PATH command. The virus also ignores the files:

IBMBIO.COM
IBMDOS.COM

Christmas.1694

This variant infects any EXE executable that is run.

Payload

Christmas.600

This variant activates on December 25th. It displays the message:

A merry christmas to you!

Christmas.868

From the 23rd of every month, this variant plays a tune of Russian Christmas.

Christmas.1539.a

On April 1st, it writes a trojan program into the MBR of the hard disk and into the Boot-sectors of floppies. Upon reboot, this routine displays the following text:

April, April ... 

From the 24th to the 31st of December, it displays an ASCII Christmas tree (see screenshot above) and a message:

Und er lebt doch noch : Der Tannenbaum !
Frohe Weihnachten ...

Translation (from German):

And he's still alive: the Christmas tree!
Merry Christmas...

Christmas.1694

From December 24th till the 26th, it also hooks INT 8 (timer), and then displays the following message and plays a tune of "Silent Night":

Merry Christmas and happy new year !  Written from Tamsui Oxford college.

Other details

Christmas.600 contains the internal text string:

*.com

Christmas.1539 (A, B and C) contain the internal text strings:

01234567890123456789012345678901234567890123456789012345678
C:\JEZYKIC:\PCD:\UC:\*.COM
PATH=IBMBIO.COM
IBMDOS.COM
????????COM
COMMAND.COM
C:\COMMAND.COM
.COM
OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!OhNo!

Christmas.1694 contains the internal text strings:

A:\516.EXE
EXE
P.EXE

Videos

Virus.DOS01:52

Virus.DOS.Christmas 868, 600, 1694, 1539

Christmas virus review by Alles Sandro

Virus.DOS03:56

Virus.DOS.Christmas (1694 1539)

Christmas virus (1539, 1694) review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.