Virus.DOS.HHnHH, known as BigBall, is a memory resident parasitic DOS virus.


When the virus is loaded into memory, it hooks only INT 1Ch (timer), which would stay "inactive" for about 20 seconds. After this period, it hooks INT 21h to infect any DOS executable file that is run by writing itself to the end of the file.

While infecting, the virus first renames the file to the name of "*.A*", and then it infects the file, after that the virus renames the file back to the original name.

HHnHH.4091.a contains bugs on hooking the timer interrupt that would make it to stay inactive for long time and it requires a lot of time before starting its infection behavior and also its payload, while the B variant is considered as the bug fixing release.

Memory usage

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
HHnHH.4087 6,144
HHnHH.4091 (A and B) 6,144
HHnHH.4093 6,144
HHnHH.4115 6,144
HHnHH.4331 6,144


On Monday, the virus outputs the digit 0 (ASCII 30h) to ports 41h, A0h and B0h.

It also scans the screen for the text string:


If found, the virus sets the monitor to graphics-video mode and launches a running ball after a few seconds.


This family has 6 variants in total:

  • Virus.DOS.HHnHH.4087
  • Virus.DOS.HHnHH.4091 (A and B)
  • Virus.DOS.HHnHH.4093
  • Virus.DOS.HHnHH.4115
  • Virus.DOS.HHnHH.4331

Other details

If the text string "Esik" is just typed but not entered, the payload would just appear in a flash and then returns to DOS.

The virus contains the internal text strings:

#(-28=CIPV]HARD HIT & HEAVY HATE the HUMANS !! [ H.H.& H.H. the H. ]
Valentin Populizeroff & Alexander LovInGodsky - it's a f*ck !
MultiScan & Tchechen it's a big ass hole !!!!!!!!!!!!!!!!!!!!
(c) Gurre, Wadimka, Good Doggy & Grosser-Hide Group Moscow

Note that the above message is not censored.


HHnHH virus review by danooct1

