Filehide causes the files in the current directory to be
hidden on fridays.
The virus only works if the major number of DOS version is higher than 1
and the minor number is higher than 2. Virus uses INT 21h/AX=A1D5h as an
"Are-you-there" call. If AH=900Dh is returned, the virus is resident.
Virus allocates 800 bytes of memory using DOS alloc functions. The 789
bytes of the viruscode is copied there. Execution continues in the copy.
When virus hook INT 21h, it checks the first byte of the original
interrupt handler. If it is PUSHF, the whole INT 21h segment is searched
for the first occurence of the command JMP FAR [####] and the
destination vector is fetched from there.
This is repeated as many times as possible. The intention is to get an
INT 21h vector which is not exiting via JMP FAR [####]. Using this
method, it is very easy for the wrong vector to be fetched, if such
far-jumps exist in the searched segments.
The virus revectors INT FFh to point to original INT 21h handler, and
uses INT FFh to access DOS. The INT 21h handler of the virus exits to
DOS by pushing the previous vector and doing IRET (the flags are already
on the stack because the first instruction of the handler is PUSHF).
The virus is kept resident by fiddling in the DOS data table returned by
The INT 21h handler defines the residence test and intercepts DOS functions
4B00h (load/exec) and 3Dh (open file) to infect files. Only COM files
are infected. Virus checks that there is enough available disk space
left for the infection. File attribute is cleared and date/time are
preserved except the seconds field is set to 58 after infection. This is
used to prevent reinfection.
Files will only be infected if they are smaller than 62 KB. Infection is
done by appending the viruscode to the host file. Before returning from
the intercept routine (whether or not infection took place), the system
date is checked and if it is a friday there is a 1:16 chance that all
files in the current directory will be hidden (1:4 chance if it is