The first file-infecting virus for the Nintendo DS

Main routine

When an infected file is run, the date is checked. If the date is December 30th the virus goes into its payload routine. Otherwise, the iterates over each file in the current directory and picks a random number between 0 and 9. If that number is 7, the file gets infected, and stops iterating. The virus then loads the host file into memory and runs it as if nothing ever happened.

Infection routine

When a file is selected to be infected, the virus writes itself to the end of the file, copies important data from the original header to the end of the file, and then modifies the header to point to the virus.

Original file:

   \ contains information about the positions and entry point
     of the binaries to be run on each of the DS's processors

Infected file:

                                            |------virus body------|
[header][===arm9===][=arm7=][=====data=====][virus arm9][virus arm7][metadata]
  |                                                                   |
   \ information has been edited to point to the virus body           |
     as opposed to the original binaries                              |
                         contains original positions and entrypoints /

Payload routine

The payload itself isn't that impressive.

It displays text on both displays:

 hello friend!

 your system is infected with
 the first ever file infector
 for the nintendo ds :)

 do not be afraid, i come in

 however, darker times may come

 written by dr1ft of gaia
 in 2018

 press A to continue...

068.xm is played in the background, the color pallette changes randomly in beat with the song. There's a crude recording of this payload available at

Pressing A breaks out of the payload routine and boots the original file as expected.

Other notes

It's not very easy to tell what files have been infected without a computer.

Interestingly, some flashcarts don't even show infected files in their main file menu. You can work around this by starting the files with nds-hb-menu.

File infection takes a lot of time, so the system may appear to hang on a white screen for around 10 seconds when infected files are starting. This is a normal part of the infection routine.

The "patient zero" file is an MS-DOS-style goat file I wrote that analyzes its own header and can detect when it has been infected.


The source code is available here. Good luck figuring out how to compile and use it, I'm not helping you.