FANDOM


Virus.DOS.Kwok is a memory resident parasitic virus on DOS.

There are 2 variants but in different names:

  • Virus.DOS.Kwok.1618
  • Virus.DOS.Shatin.1637

BehaviorEdit

When the virus is loaded into memory, it hooks INT 21h and writes itself to the beginning of DOS executables that are accessed with FindFirst (AH=4Eh) function. It avoids COMMAND.COM.

The virus stores the filename of the program to be infected into its code when appending itself into the file.

Kwok.1618Edit

This is the initial release, most of the programs infected by this virus would fail to work and cause a system hang.

Shatin.1637Edit

This is the bug fixing release, having the same infection behavior and payload, while the only difference is the programs infected by this variant may function properly.

Memory usageEdit

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Kwok.1618 5,232
Shatin.1637 6,256

MD5 hashesEdit

You can obtain information by checking the MD5 hash codes.

Variant Hash
Kwok.1618 5cea8d806e3b06b63e710d37591d05af
Shatin.1637 0d6e3f1f6f8955a89a1f3da9449039e1

PayloadEdit

When an infected program is run on 1st of any month, the virus displays an ASCII art of message in blue background:

毋忘我
KWOK'S VIRUS III

Translation (from Chinese):

Don't Forget Me

Plus the following message:

Made in Hong Kong (Shatin)

And it also hangs the system.

Other detailsEdit

Shatin.1637 has been identified as Kwok.1637 by some antiviruses.

The virus contains the internal text string:

C:\COMMAND.COM

Runs in:

DOS

DOS 1.12, DOS 1.10.2, DOS 2.0

VideosEdit

Virus.DOS.Kwok00:57

Virus.DOS.Kwok.1618

Virus.DOS.Kwok.1618

Virus.DOS01:37

Virus.DOS.Shatin

Virus.DOS.Kwok.1618 on Standalone PC

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.