Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

CMOSDead

From Malware Wiki
Jump to: navigation, search
CMOSDead
350px
TypeVirus
CreatorGrisoft (Andreas Marx)
Date1989
Programming LanguageAssembly
PlatformMS-DOS
File TypeDOS executable (.COM)
MZ executable (.EXE)
Alias(es)CMOSDead
CMOS_Dead
ILoveDOS
SHA-1a4f143ab33a21258740fca8be93dc98cc0f4a6fd
SHA-256fb50c70d5dca8e7890f5ac7fd09139b1c6dff2c05d23a9c4bfb375f696f352fe
SSDEEP96:1wkQPHoIxMSosAoKSxAayN4BgFjomVykXY8eweIVG7+r3ezubh9lr:zKMSTuSu36uoNc27+6ux
This box: view  talk  edit

Virus.DOS.CMOSDead is an extremely dangerous memory-resident encrypted virus on DOS.

There are 5 variants having 2 different aliases:

  • Virus.DOS.CMOSDead.4792
  • Virus.DOS.CMOSDead.5154
  • Virus.DOS.ILoveDos.3618
  • Virus.DOS.ILoveDos.3622
  • Virus.DOS.ILoveDos.3710

Payload

When the virus is loaded into memory, it hooks INT 21h to infect any executable that is run by writing itself to the end of the file. The virus does not infect files that are smaller than or equal to 4,000 bytes.

On infection, the virus places the first 32 bytes of the original code to the end of the viral code, and places its own code into there. It also places the value of offset of the viral code (or the original size of the host) at the end of the file, having a size of 4 bytes.

For example, the size of the host is 10,000 (or 2710h) bytes, then the data of these bytes would be:

10 27 00 00

The virus behaves stealthily so that there is no observable file size increase on infected programs. The user is unable to find the infection code within the file even using "type" to show contents. If the user attempts to copy an infected file, the virus disinfects the new one before placing it to the new distinction; the virus is still detectable by comparing the checksums.

CMOSDead.4792 and 5154

These variants search and infect an uninfected COMMAND.COM when an infected program is run, and the system may fail to recognize the infected COMMAND on next start due to the modification of the file head.

ILoveDos.3618, 3622 and 3710

These variants may change the year value of the timestamp on infection if the file is last modified after 2000.

For files having the timestamp ranging from 2000 to 2007, the virus modify it to 1999 on infection. However on file listing, their timestamp remains unchanged as long as the virus stays memory-resident.

For those having the timestamp on or after 2008, the virus would modify it by rolling back 28 years on infection, but it would be unable to hide its infection size from these files.

Here is an example for better understanding, using ILoveDos.3618.

Before infection:

FILE1.COM        5,000  2-1-1997
FILE2.COM        5,000  2-1-2001
FILE3.COM        5,000  2-1-2006
FILE4.COM        5,000  2-1-2008
FILE5.COM        5,000  2-1-2010

After infection (virus not in memory):

FILE1.COM        8,618  2-1-1997
FILE2.COM        8,618  2-1-1999
FILE3.COM        8,618  2-1-1999
FILE4.COM        8,618  2-1-1980
FILE5.COM        8,618  2-1-1982

After infection (virus stays in memory):

FILE1.COM        5,000  2-1-1997
FILE2.COM        5,000  2-1-2001
FILE3.COM        5,000  2-1-2006
FILE4.COM        8,618  2-1-1980
FILE5.COM        8,618  2-1-1982

The virus contains two payloads.

Anti-debugging

ILoveDos variants do not feature this payload.

If the user tries to debug an infected file by running it (command P), after a number of processes it clears the screen and displays the following at the center of the screen:

BE CAREFUL !

It also hangs the system, and disables the keyboard input.

Data corruption

Depending on the system date, the virus activates at random.

When activated, it displays a flashing ASCII art of words, "CMOS" at the top of the screen and "DEAD" at the bottom of the screen in red. A phrase is also displayed at the center, with random frequency of beeps. When run on hardware created at the same time as the virus, this payload consists of a fairly standard series of beeps; running it at faster processor speeds, however, results in the sound being 'replaced' with that of an unusual and frightening noise which has been described as 'screeching' or 'shrieking' in tone, caused by the same sequence being played at a faster rate.

CMOSDead.4792 displays the following:

GRISOFT(c) SOFTWARE 1989,96

CMOSDead.5154 displays the following:

Your computer will be need a psychiatrist...

During this visually frightening payload, the virus corrupts the data in CMOS; the user must set them again on next boot.

After the payload has been triggered, when the user attempts to restart the computer by pressing CTRL-ALT-DEL, the virus also formats the hard drive.

Details

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
CMOSDead.4792 5,072
CMOSDead.5154 5,440

MD5 hash:

Variant Hash
CMOSDead.4792 1924ea4f30b798a4ca0c6aeb42ac2585
CMOSDead.5154 8fcf447c5614fc9843b39dfadd5db27c

The audible output of the payload has no delay parameter set, so the beeping speed depends on the CPU clock rate. When the payload of the virus is being run on a slow computer, it shows its "true sound" it was meant for, but on an overclocked environment of DOS such as Virtual PC, the payload would become extremely loud, so it is recommended to lower the system volume before testing the sample if attempting on a faster computer.

The virus contains the encrypted internal text strings:

IOSYS
COMSPEC=
EXECOM
I love MS-DOS !

References

  1. List of variants of the CMOSDead virus on VX Heaven
  2. List of variants of the ILoveDos virus on VX Heaven

Videos

File:CMOSDead DOS Virus
CMOSDead virus review by danooct1
File:Virus.DOS.CmosDead
CMOSDead virus review by Alles Sandro

zh:CMOSDead