Malware Wiki

The last of Viral Rewind for 2020 has us visiting three (would've been four) variants of the DOS-based virus Christmas. All variants infect files to a degree with various properties and methods depending on the variant. Here we're mainly focusing on the payloads the three variants exhibit.

Payloads: All variants have payloads that activate on December 25th of any year (some activate around it as well).

600 - Whenever an infected file is run, the virus outputs "merry christmas to you!" at the prompt.

1539 - Whenever an infected file is run, the virus displays an ASCII rendition of a Christmas tree with text below it in German that translates to: "And he's still alive: the Christmas tree! Merry Christmas..."

It has another payload that activates whenever it is April 1st. When an infected file is run, it writes a trojan to both the Master Boot Record of the hard disk and the boot record of any unprotected floppy disk then halts the system requiring a hard reset. When the system is booted, it will display "April... April..." and all data on the disk will be lost.

1694 - Whenever an infected file is run, the virus hooks INT 8 which is the timer interrupt and every 30 seconds will play a rendition of Silent Night over the PC speaker along with a text printout that reads: "Merry Christmas and happy new year ! Written from Tamsui Oxford college." This will repeat as long as the virus remains in memory.


Viral Rewind- Virus.DOS.Christmas (600-1539-1694)

Video of Christmas (Dos Virus) in action