FANDOM


Virus.DOS.Lunch.1756 is a dangerous file overwriting DOS virus.

Behavior

When the virus is run, it overwrites the first uninfected DOS executable, by writing its code at the beginning of the file, the infected program will no longer function but spreading out the virus.

The virus does not infect COMMAND.COM and files that are smaller than the virus itself.

Advanced details

This virus does not stay memory resident.

MD5 hash:

cd6529b726fe18403df98b009eb22bc1

Payload

When an infected program is run at 12:00 or 17:00, the virus displays a message and hangs the machine.

At 12:00

It's 12:00, time for lunch!

At 17:00

It's 17:00, time to go home!

On Saturday 14th the virus drops a file called CLEAN.COM with a file size of 899 bytes.

The drop program CLEAN.COM

This drop program can be considered as a virus, while it acts slightly different from Lunch. Instead of overwriting during execution, it hooks INT 21h and infects one DOS executable by appending itself at the beginning of the host before a program runs, and then return to DOS instead of running the program, the file size will increase by 897 bytes.

The program infected by CLEAN will no longer function. When an infected program is run and the system day is between July 1st and December 31st, the PC speaker will beep.

Unlike the Lunch virus, CLEAN does not check file size and it may infect COMMAND.COM and even itself.

Other details

Both Lunch and the drop program contain the following text strings:

cOcK!sUcKrI
COMMANDCOM
A:\XXX.COM
A:\$#@!$#@!.COM
ENGLISH SUCKERS DIE IN BUENOS AIRES!
MADE IN ARGENTINA91

The virus contains the following text strings that the drop program does not:

COMMAND.COM
*.cOm
CLEAN.COM

The infected programs may contain different text strings, rather than "A:\XXX.COM", the file path of the program is shown (e.g. C:\DOS\SYS.COM instead of A:\XXX.COM in an infected copy of SYS.COM).