This article is about the original Abraxas. For the second version, see Abraxas_II.

Virus.DOS.Abraxas, also known as Abraxas-5, is a dangerous file overwriting virus on DOS.

There are 7 variants in 3 versions, represented by the following:

  • Virus.DOS.Abraxas.1170
  • Virus.DOS.Abraxas.1214
  • Virus.DOS.Abraxas.1881

There are additional 2 variants which also belong to this family.


This family of viruses uses file replacement overwriting technique to infect files, and they are not recoverable.

Abraxas.1170, 1171, 1200 and 1214

When the virus is run, the virus infects C:\DOS\DOSSHELL.COM, if no such file is found, the virus creates the file. The virus also overwrites an EXE executable in the current directory and copy this infected file to the parent directory for further spreading.

Abraxas.1214 infects C:\COMMAND.COM instead of DOSSHELL.COM.

The timestamp of the infected file will be the time of infection.

After an infection, the virus changes the current directory to one upper level.


This variant is a memory resident. Due to some programming faults, the virus installs itself into memory without infecting any file after the first run. It would infect files on the second run and so on.

After an infection, the virus changes the current directory to one upper level, a copy of the infected EXE file also appears in the parent directory.


This variant is slightly different to the others, see Brain.

Advanced details

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Abraxas.1170 Non-TSR
Abraxas.1171 Non-TSR
Abraxas.1200 (A and B) Non-TSR
Abraxas.1214 Non-TSR
Abraxas.1304 1,696
Abraxas.1881 ?

MD5 hash:

Variant Hash
Abraxas.1170 8da7aa6f6e9c1f4e1381848f3b14c0e9
Abraxas.1171 fee278b87fc712b21c3d86921ce3a276
Abraxas.1200.a f1c5094307d72c1919bd2aeb0a19826a
Abraxas.1200.b 648764cd9cb13a698dc67d68b80d08f9
Abraxas.1214 748aaa38c448fcfccf253dd3ef61907f
Abraxas.1304 a9b4b920afff6a379200514c9e56d1ca
Abraxas.1881 787a637d5770c140c847cbff6618db62


Abraxas.1170, 1171, 1200 and 1304

When an infected program is run, the virus plays an ascending scale from the system speaker, followed by displaying the following text in ASCII art:


For Abraxas.1200.b, the display of the ASCII art is corrupted.

For Abraxas.1304, due to some programming faults, the audible payload is not triggered on the first run but would display the ASCII art twice. On the second run and so on, the virus would play the scale but no ASCII art will be displayed.


This variant plays a tune which is similar to Burma and displays an indecent ASCII image (with the message "Sara's Groove") that was used in some Groove strains.


This family has 9 variants in total:

  • Virus.DOS.Abraxas.1170
  • Virus.DOS.Abraxas.1171
  • Virus.DOS.Abraxas.1200 (A and B)
  • Virus.DOS.Abraxas.1214
  • Virus.DOS.Abraxas.1304
  • Virus.DOS.Abraxas.1881
  • Virus.DOS.Abraxas.Cleton (2 variants)

Also, there are more than 20 viruses have appeared which have clearly been produced with the PS-MPC:

Other details

Abraxas was created with the PS-MPC virus creation tool, which can be used to create similar, easily detected viruses, which are usually encrypted as well.

The name "Abraxas" was used for a virus in the game Evolution.

Abraxas.1881 has been identified as Brain by some antiviruses.

Abraxas.1170, 1171, 1200 and 1304 contain the internal text strings:

MS-DOS (c)1992
...For he is not of this day
...Nor he of this mind

Abraxas.1214 contains the internal text strings:

Darkest Avenger
Isnt dedicated to Sara Gordon
Its dedicated to her GROOVE!

Abraxas.1881 contains the internal text strings:



  1. List of variants of the Abraxas virus on VX Heaven

See also




Review By Alles Sandro

Community content is available under CC-BY-SA unless otherwise noted.