FANDOM


Virus.DOS.Devil, also known as the Devil's Dance, is a very dangerous memory resident parasitic virus on DOS.

There are 4 variants:

  • Virus.DOS.Devil.941 (plus E, F and G)

BehaviorEdit

When Devil is loaded into memory, every DOS executable file in current directory are infected by instant, including COMMAND.COM, by adding 1,882 bytes (2 copies of the infection code) to every file, and then it hooks INT 9 and 21h, infects every program that are run. The virus would always be loaded after booting.

The infection size varies on different files.

The virus behaves differently on infecting the executable, it does not check whether a COM file has been infected but it does on EXE, so that the virus does not re-infect EXE files.

Devil.941Edit

When an infected DOS executable file is run, the virus infects it by inserting the first 1,630 bytes of it code to the beginning of the file, and then the other 1,888 bytes placed at the end of the file. In other words, the virus adds 3,518 bytes on further infections.

Devil.941.e and fEdit

When an infected DOS executable file is run, the virus reinfects it by adding 941 bytes of viral code to the end of the file.

Advanced detailsEdit

The following table shows the TSR memory usage of the variants.

Variant Memory usage in bytes
Devil.941 4,352
Devil.941.e 1,232
Devil.941.f 1,232
Devil.941.g ?

MD5 hash:

Variant Hash
Devil.941 adbb647b2c7198c36be1e31cac0bed9f
Devil.941.e 53ee7daadaa500d14bc7a0f33baffbb5
Devil.941.f 05c66cac05f93c0458f10e679def1df4
Devil.941.g 618ecad8253f0971ac27c361d34fec09

PayloadEdit

The first payload is triggered after 6 key presses when the virus is in memory, and then the virus changes the color of the character to be entered on every key press.

After 5,000 key presses, the virus destroys the file allocation table.

When the user issues CTRL-ALT-DEL, the virus displays the following message with grey background:

Have you ever danced with the devil under the weak light of the moon?
Pray for your disk!
The_Joker...
Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha

If the count of key presses is less than 5,000 by the time CTRL-ALT-DEL are pressed, this payload screen would just appear in a flash and then the computer may reboot as usual, otherwise the system would halt on this screen.

Other detailsEdit

Devil has been identified as a member of Jerusalem by some antiviruses, naming Jerusalem.1631 or Sunday.

A system crash or reset occurs when Devil.941.g is being loaded into memory due to programming errors.

The virus contains the internal text strings, which references the Sunday variant of Jerusalem:

COMMAND.COM
Today is Sunday! Why do you work so hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun!
*.com

ReferencesEdit

  1. List of variants of the Devil virus on VX Heaven

VideosEdit

Virus.DOS03:14

Virus.DOS.Devil

Devil's Dance virus review by danooct1

Virus.DOS.Devil01:41

Virus.DOS.Devil.941

Devil's Dance virus review by Alles Sandro

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.