FANDOM


Virus.DOS.Storm is a memory resident parasitic virus on DOS.

There are 7 variants in 2 versions, represented by the following:

  • Virus.DOS.Storm.1153
  • Virus.DOS.Storm.1217

Behavior

When the virus is loaded into memory, it hooks INT 21h and infects any DOS executable that is run.

Advanced details

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Storm.1153 (plus B) 1,440
Storm.1163 1,440
Storm.1172 1,456
Storm.1217 1,504
Storm.1218 1,504
Storm.1219 1,504

MD5 hashes:

Variant Hash
Storm.1153 d8378983b8344c91c991d2f4f14d391c
Storm.1153.b 67aa2131ed470c95358fb81ae68454a0
Storm.1163 5a75e37f3e0170ffcc5f0bc8cbd64c55
Storm.1172 4a1056a1e07e5b89662d6f0a0c24ad9b
Storm.1217 2880c634d26fdf73027817093018662e
Storm.1218 728ea956ee10523c2e793ee9291562c7
Storm.1219 2096826b4c3fef3f4d95b5b4640f11c1

Payload

Unless those specified, all these variants activate on March 3rd. They decrypt the message to display it onto the screen, in red color.

Storm.1153, 1153.b, 1163 and 1172

Storm.1153.b activates on June 6th instead.

These variants display the message at the top of the screen:

OK EVERYBODY!! NOW KEEP CALM AND LIE DOWN ON THE FLOOR -- THIS IS A VIRUS!!!!

Storm.1217, 1218 and 1219

Storm.1219 activates on December 24th instead.

These variants display the message at the 9th line on screen:

Wenn Du diesen Text liest ist es zu spät... Dein Computer ist infiziert!!!

Translation (from German):

When you are reading this text, it is too late... Your Computer is infected!!!

Variants

This family has 7 variants in total:

  • Virus.DOS.Storm.1153 (plus B)
  • Virus.DOS.Storm.1163
  • Virus.DOS.Storm.1172
  • Virus.DOS.Storm.1217
  • Virus.DOS.Storm.1218
  • Virus.DOS.Storm.1219

Other details

Storm.1153 (plus B), 1163 and 1172 contain the internal text string:

COM