FANDOM


Virus.DOS.HHnHH, known as BigBall, is a memory resident parasitic DOS virus.

Behavior

When the virus is loaded into memory, it hooks only INT 1Ch (timer), which would stay "inactive" for about 20 seconds. After this period, it hooks INT 21h to infect any DOS executable file that is run by writing itself to the end of the file.

While infecting, the virus first renames the file to the name of "*.A*", and then it infects the file, after that the virus renames the file back to the original name.

HHnHH.4091.a contains bugs on hooking the timer interrupt that would make it to stay inactive for long time and it requires a lot of time before starting its infection behavior and also its payload, while the B variant is considered as the bug fixing release.

Memory usage

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
HHnHH.4087 6,144
HHnHH.4091 (A and B) 6,144
HHnHH.4093 6,144
HHnHH.4115 6,144
HHnHH.4331 6,144

Payload

On Monday, the virus outputs the digit 0 (ASCII 30h) to ports 41h, A0h and B0h.

It also scans the screen for the text string:

Esik

If found, the virus sets the monitor to graphics-video mode and launches a running ball after a few seconds.

Variants

This family has 6 variants in total:

  • Virus.DOS.HHnHH.4087
  • Virus.DOS.HHnHH.4091 (A and B)
  • Virus.DOS.HHnHH.4093
  • Virus.DOS.HHnHH.4115
  • Virus.DOS.HHnHH.4331

Other details

If the text string "Esik" is just typed but not entered, the payload would just appear in a flash and then returns to DOS.

The virus contains the internal text strings:

#(-28=CIPV]HARD HIT & HEAVY HATE the HUMANS !! [ H.H.& H.H. the H. ]
Valentin Populizeroff & Alexander LovInGodsky - it's a f*ck !
MultiScan & Tchechen it's a big ass hole !!!!!!!!!!!!!!!!!!!!
*************************************************************
(c) Gurre, Wadimka, Good Doggy & Grosser-Hide Group Moscow
*******************************************************

Note that the above message is not censored.

References

  1. List of variants of the HHnHH virus on VX Heaven

Videos

Virus.DOS01:46

Virus.DOS.HHnHH

HHnHH virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.