Type File virus
Date Discovered 1991.12
Place of Origin Show Low, United States
Source Language Assembly
Platform DOS
File Type(s) .com
Infection Length 306 bytes
Reported Costs

Timid is a large family of simple DOS viruses. The original variant appeared in Mark Ludwig's "Little Black Book of Computer Viruses". It produced around 40 different variants.


When an infected file is executed, it will search the current working directory for uninfected files. When it finds one, it infects it, appending its code to the end of the file, then displays the name of the file it infected on the console. If no infected files are found, the system will hang. It will also hang when a system with an infected COMMAND.COM is booted.

The text string "VI" can be found in infected files. The time and date of infected files will be changed to that of the time it was infected. Files that are infected are damaged and may not run properly and may either cause beeping or a file name to be displayed.


Around 40 variants of Timid appeared in the early and mid-1990s, partly because the source code was published in the "Little Black Book of Computer Viruses". Most are only diffrent in size, which can range from 245 bytes to 557 bytes.


Timid.320, also known as Hehheh, was discovered in November of 1992. This variant adds its code to any kind of file indiscriminately, possibly damaging or adding unwanted text to the files. It causes the system to beep, in addition to displaying the following text to the console: "*.* HEH!HEH!HEH!HEH!"


This variant contains a bug that causes it to reinfect files. It will always infect the first file in the current working directory rather than checking for an infection then moving to the next file if it finds a copy of itself.


Timid.371 is potentially dangerous and can make the hard disk inaccessible. When it is unable to find an uninfected .com file, it will overwrite 16 sectors of the system hard disk starting at side 0, cylinder 0, sector 1. After this, the user will get a message saying "Invalid drive specification" when trying to access the disk. It is possible to recover the disks using standard recovery tools.

Timid.526 and Timid.557

These variants infects files like the original, with the exception of when it is in the root directory. There it only infects hidden files and COMMAND.COM. Infected systems may have problems booting, data corruption and programs that don't function properly. If it can't find files to infect, it will slowly alter the system display until it is blank, then hang the system.


This variant, discovered in October 1992 comes from Canada and was coded by Lucifer Messiah. It is 305 bytes long. The text string "LM" can be found in the place of VI. Aside from this, it is functionally similar to the original.

Other Variants

  • Timid.290

This variant's primary difference in addition to its smaller size is that it does not display the name of the program it infected.

  • Timid.305 and 382

These versions' main difference aside from size is that it does not cause any beeping.

  • Timid.431

This version adds the ability to infect .exe and .sys files in addition to .com files.


Though originally a laboratory virus, Timid managed to escape and was discovered in the wild. Any number of reasons are possible, as its creator Mark Ludwig published, sold and even freely shared books, disks, and other media with virus source codes and binaries and was an advocate of people doing so for research purposes.

The virus was first reported in the US state of Oregon, the nearest population center of which (Jordan Valley) is well over 1,000 kilometers or 700 miles from its origin in Show Low, Arizona. It was also found in Canada.


Mark A. Ludwig. "The Little Black Book of Computer Viruses". American Eagle Publications, Show Low, Arizona.

Patricia Hoffman. Online VSUM, Timid Virus

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License