FANDOM


Virus.DOS.PSFL.1005 is a very dangerous memory resident parasitic virus on DOS.

Behavior

When the virus is in memory, it hooks INT 21h to infect any DOS executable that is run by writing itself to the end the file. It also hooks FindFirst/Next DOS calls (DIR command), and infects the files that are accessed by this call. Not every file would be infected.

The virus behaves stealthy so that no size change can be observed on infected file, but it does on those uninfected. It subtracts the infection size from all files, making the size of uninfected files to have smaller file size, an underflow occurs on files smaller than the virus itself.

Before infection:

EDIT.COM          413 bytes
SYS.COM         9,432 bytes
GOAT.COM       10,000 bytes

After infection and the virus stays memory:

EDIT.COM       64,944 bytes (uninfected)
SYS.COM         9,432 bytes (infected)
GOAT.COM        8,995 bytes (uninfected)

The displayed size of an uninfected file plus infection size minus original size is always equal to 65,536, in case there is a size underflow.

PSFL size-deduction

Displayed size difference, showing 0 bytes on an uninfected goat file, having a size of 1,005 bytes, which also refers to the infection size of the virus.

Memory usage

The exact memory usage is 1,040 bytes.

Payload

On the 13th of any month, the virus corrupts hard drive sectors, during this process it would generate some creepy noise from the hard drive. It also displays the following in the screen corners and hangs the system:

H  A
T  E

The system might load properly after this, but the user might encounter unexpected errors on program runtime.

Other details

The virus contains the internal text strings:

[WowWowGirl]
[PSFL]

Videos

PSFL virus03:15

PSFL virus.PSFL

PSFL virus review by danooct1

Virus.DOS.PSFL01:10

Virus.DOS.PSFL.1005

PSFL virus review by Alles Sandro

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.