FANDOM


Virus.DOS.Deliver.Digi.3547 is a dangerous memory resident polymorphic encrypted stealth virus on DOS.

Behavior

When the virus is loaded into memory, it hooks INT 1, 3, 1Ch and 21h to infect any DOS executable file that is run, by writing itself to the end of their binaries.

While creating, opening or running an executable file it stores the name, and hits it when the file is being closed. On opening the infected files the virus temporarily disinfects them. On FindFirst/Next DOS calls it "decreases" the infected file length.

The virus deletes files having the filename:

CHKLIST

While the execution of CHKDSK utility it disables its FindFirst/Next handler, while execution of MKS anti-virus scanner it temporarily stops the infection. It disables the debugging of the virus code by hooking INT 1 and 3.

Advanced details

The TSR memory usage is 5,376 bytes.

MD5 hash:

00efa67e781b81574020f6cd93bc3c01

Payload

The virus activates and overwrites the hard drive sectors with the string when the system date is between May 28th to 31st inclusive:

DIGI POWER

Then it manifests itself with the video and sound effects, and displays the message:

DIGI POWER

THIS IS A NEW ... DELIVER II SÆëâlÆH (R) WRITE BY DiGiT! ... SOUTH POLAND 1995

Videos

Virus.DOS.Digi

Virus.DOS.Digi.3547 (Revisited)

Digi virus review by Alles Sandro

Digi DOS Virus

Digi DOS Virus

Virus.DOS.Deliver.Digi.3547 on Standalone PC

Virus.DOS.Deliver.Digi

Virus.DOS.Deliver.Digi.3547

Virus.DOS.Deliver.Digi.3547 on Virtual PC