VIrus.DOS.HXH is a benign memory resident parasitic virus on DOS.

There are 3 variants:

  • Virus.DOS.HXH.1576
  • Virus.DOS.HXH.1585
  • Virus.DOS.HXH.1680


When the virus is loaded into memory, it hooks INT 21h to infect any executable that is run or accessed by FindFirst/Next FCB DOS function (DIR command) by writing itself to the end of the file.

The virus behaves stealthy but a size change is still observable due to its variable infection size in different files, infected files having the size few bytes longer.

Advanced details

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
HXH.1576 1,904
HXH.1585 1,920
HXH.1680 2,016

MD5 hashes:

Variant Hash
HXH.1576 623482c02b6429f8efc60bd044efee5a
HXH.1585 34b46453af09c215b5b4522d3b862100
HXH.1680 aaef3cf2bfe2e69f713bdb2eb027bf35


Except that HXH.1680 cannot manifest itself at anyway, all these variants activate on February 19th.

Upon the first DIR file listing command, it plays a tune and displays the message in red background at the top of the screen:


Wherever,Long Live Our Friendship!

Good Luck With You! My Friend.

Yours Sincerly 6162910

It is noticeable that the firstly issued DIR command would have a slower response, as the virus is checking whether it should activate.

Other details

The virus displays the message and plays tune on the very first DIR command after infection, and then the payload will never activate unless all the infected files are cleared and infected with it again.

The only sample of HXH.1680 is believed to be corrupted. During an infection, due to some code which is required for the virus to write is missing, it might cause a system crash. Additionally, the codes of the payload section in the infected file are completely empty (filled with FFh), so it cannot manifest itself on the day of payload.







HXH virus review by danooct1