Luci/Luce/Lucifer_II (whatever else it could go by) variant 4628/4632 has to be one of the more convoluted pieces of malware when it comes to understanding how the virus replicates and performs various payloads. So much in fact I had to keep notes on what I discovered and even then I don't have 100% of the activation methods and results of what this virus can do.
This virus when first loaded will reside in memory and will first infect the COMMAND.COM ensuring it loads each time with the system. It is polymorphic which aids in avoiding detection and may be why it can be hard to decipher. It isn't stealthy so file size increases will be apparent. It infects .EXE and .COM files when accessed but it will infect .SYS files as well.
The payloads (from what I gathered) can be broken down in two categories: Non-System Affecting and System Affecting.
Non-System Affecting:
System must be booted during the specific day and time.
-Mondays/Thursdays between 12AM and 7PM (black bar scrolls vertically on screen)
-Fridays at the top of the hour for 20 minutes (screen bob up/down)
-Saturdays between 12AM and 4PM (black bar and screen bob)
(Tuesday, Wednesday and Sunday have no effects).
System Affecting:
Payloads are day of the week AND day number dependent (usually)
-Monday 1st/3rd (infects MBR)
-Monday 2nd (infects MBR/removes floppies CMOS)
-12th (removes floppies CMOS)
-Thursday 20th (display OVER-X)
Other possible payloads that have been exhibited include mass file deletion, programs not running, programs crashing and programs behaving oddly
-----------------------------------------------------------
Visit my Linktree to access my socials and other channels: linktr.ee/maus...