The first file-infecting virus for the Nintendo DS
When an infected file is run, the date is checked. If the date is December 30th the virus goes into its payload routine. Otherwise, the iterates over each file in the current directory and picks a random number between 0 and 9. If that number is 7, the file gets infected, and stops iterating. The virus then loads the host file into memory and runs it as if nothing ever happened.
When a file is selected to be infected, the virus writes itself to the end of the file, copies important data from the original header to the end of the file, and then modifies the header to point to the virus.
[header][===arm9===][=arm7=][=====data=====] | \ contains information about the positions and entry point of the binaries to be run on each of the DS's processors
|------virus body------| [header][===arm9===][=arm7=][=====data=====][virus arm9][virus arm7][metadata] | | \ information has been edited to point to the virus body | as opposed to the original binaries | | contains original positions and entrypoints /
The payload itself isn't that impressive.
It displays text on both displays:
hello friend! your system is infected with the first ever file infector for the nintendo ds :) do not be afraid, i come in peace however, darker times may come beware
nitroglycerin written by dr1ft of gaia in 2018 press A to continue...
068.xm is played in the background, the color pallette changes randomly in beat with the song. There's a crude recording of this payload available at https://www.youtube.com/watch?v=p4wuC71aLS0
Pressing A breaks out of the payload routine and boots the original file as expected.
It's not very easy to tell what files have been infected without a computer.
Interestingly, some flashcarts don't even show infected files in their main file menu. You can work around this by starting the files with nds-hb-menu.
File infection takes a lot of time, so the system may appear to hang on a white screen for around 10 seconds when infected files are starting. This is a normal part of the infection routine.
The "patient zero" file is an MS-DOS-style goat file I wrote that analyzes its own header and can detect when it has been infected.
The source code is available here. Good luck figuring out how to compile and use it, I'm not helping you.