Fandom

Malware Wiki

Lunch

1,346pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.Lunch.1756 or Lunch is a dangerous overwriting DOS virus.

Behavior

When the virus is run, it overwrites the first uninfected DOS executable, by writing its code at the beginning of the file, the infected program will no longer function but spreading out the virus.

The virus does not infect COMMAND.COM and files that are smaller than the virus itself.

Payload

When an infected program is run at 12:00 or 17:00, the virus displays a message and hangs the machine.

At 12:00

It's 12:00, time for lunch!

At 17:00

It's 17:00, time to go home!

On Saturday 14th the virus drops a file called CLEAN.COM with a file size of 899 bytes.

The drop program CLEAN.COM

This drop program can be considered as a virus. It acts slightly different from Lunch, instead of overwriting during execution, it hooks INT 21h and infects one DOS executable by writing itself at the beginning of the file before a program runs, and then return to DOS instead of running the program, the file size will increase by 897 bytes.

The program infected by CLEAN will no longer function. When an infected program is run and the system day is between July 1st and December 31st, the PC speaker will beep.

Unlike the Lunch virus, CLEAN does not check file size and it may infect COMMAND.COM and even itself.

Other details

Both Lunch and the drop program contain the following text strings:

cOcK!sUcKrI
COMMANDCOM
A:\XXX.COM
A:\$#@!$#@!.COM
ENGLISH SUCKERS DIE IN BUENOS AIRES!
MADE IN ARGENTINA91

The virus contains the following text strings that the drop program does not:

COMMAND.COM
*.cOm
CLEAN.COM

The infected programs may contain different text strings, rather than "A:\XXX.COM", the file path of the program is shown (e.g. C:\DOS\SYS.COM instead of A:\XXX.COM in an infected copy of SYS.COM).

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.