VIrus.DOS.HXH is a benign memory resident parasitic virus on DOS.

There are 3 variants:

  • Virus.DOS.HXH.1576
  • Virus.DOS.HXH.1585
  • Virus.DOS.HXH.1680


When the virus is loaded into memory, it hooks INT 21h to infect any executable that is run or accessed by FindFirst/Next FCB DOS function (DIR command) by writing itself to the end of the file.

The virus behaves stealthy but a size change is still observable due to its variable infection size in different files, infected files having the size few bytes longer.

Memory usageEdit

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
HXH.1576 1,904
HXH.1585 1,920
HXH.1680 2,016


The virus activates on February 19th, while HXH.1680 does not manifest itself at anyway.

Upon the first DIR file listing command, it plays a tune and displays the message in red background at the top of the screen:


Wherever,Long Live Our Friendship!

Good Luck With You! My Friend.

Yours Sincerly 6162910

It is noticeable that the firstly issued DIR command would have a slower response, as the virus is checking whether it should activate.

Other detailsEdit

The virus displays the message and plays tune on the very first DIR command after infection, and then the payload will never activate unless all the infected files are cleared and infected with it again.

The only sample of HXH.1680 is believed to be corrupted. During an infection, due to some code which is required for the virus to write is missing, it might cause a system crash. Additionally, the codes of the payload section in the infected file are completely empty (filled with FFh), so it cannot manifest itself on the day of payload.





HXH DOS Virus01:06


HXH virus review by danooct1

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.