A dive into the world of MS-DOS viruses (2019) (opens in new tab)

(blog.benjojo.co.uk)

83 pointsdefaulty4y ago31 comments

31 comments

This brings back fond memories. It's been a _long_ time since then, and I was about 14yo. This was pre-internet, the BBS era. My computer, an old PC XT, 8086 based. I was getting new software via mail order from various specialized magazines, or from BBS's (to which I did not have access directly at that time -- not particularly relevant to this story).

One day, I got something infected with a virus named Romania.856 (I will always remember this name), a COM infector, as I found out from F-Prot Antivirus (which came with a great db with information about viruses -- such a great read for the young me!).

The tools available to me were still very limited; I had not yet discovered TDD (Borland Turbo Debugger). But I was dead set to understand how the virus worked. There I was, using the very limited `debug` tool that came with MS-DOS. I've learned x86 Assembler from various texts downloaded from BBS's. I reverseengineered Romania.856, and learned how it worked, and did my own experiments. That's how I spent my summer vacation that year.

This was the beginning of some of the most beautiful years of my life, with regard to computers. It lasted for a bit over half a decade, time in which tech evolved fast, I got an internet connection (still dialup back then), I discovered IRC, met people with similar interests and so on. What I miss the most now is the feeling of everything being new, the possibility for exploration and discovery.

jzawodn4y ago

> What I miss the most now is the feeling of everything being new, the possibility for exploration and discovery.

Oh, good... it's not just me. :-)

dblohm74y ago

Me three!

seppel4y ago

> I got something infected with a virus named Romania.856 (I will always remember this name)

For me it was Tai-Pan.438.A. I printed out(!) the disassembly code and studied it for weeks. I remember the stack modifications (not matching push/pop instructions) were super troubling for me to understand because such tricks were not really explained it the normal books.

mycall4y ago

I understand the modifications part, but why would push/pop counts be mismatched?

2 more replies

lbj4y ago

What a great talk, loved everything about that era.

When I was 14 I made my first virus/prank. It would increment a counter every time input was sent to the PS/2 port, ie. keyboard. Once it hit 2000 strokes it would switch to 80x50 textmode, print "This is a shareware keyboard. You have used all of your free keystrokes" and then close the PS/2 connection until a physical reboot.

I thought it was hilarious, but it did have some unintended consequences. Especially because that the IT guy in charge actually believed the message. So, also my last virus.

ivan4th4y ago

I did write some DOS viruses back when I was a kid, including a "stealth" one (invisible when reading the infected files via int 21h) and another one polymorphic (encrypted with dynamically generated decoder). I've never spread them, although I did upload another simpler one to an antivirus vendor BBS as a "new virus", so now it's known as "Areopag-480" and such. I thought all of the sources of things I wrote back then were lost when I typed an extra space in "rm -rf ~/something" back around 2000, but recently, while looking through some old books, I've found a piece of code of the stealth virus I wrote around 1992-1993: https://twitter.com/ivan4th/status/1434625057553330178/photo... I didn't have a PC at my grandparents' dacha back then, so I was writing code on paper instead during the summer

TigeriusKirk4y ago

I did some of the same things back in the day, just because viruses seemed like such a neat idea. There was a book that came out, The Little Black Book Of Computer Viruses, that was very helpful in learning such things.

Text of the book here - https://web.archive.org/web/20090420151624/http://vx.netlux....

shantnutiwari4y ago

Interesting.

I've often wondered-- if you want to learn low level C and/or hacking techniques, would it make sense to start by hacking Ms-Dos? It's easy, there is little to no protection, even for system calls, and you can do a lot with little code.

Of course, there is no "practical" use, but it would be really interesting as a learning excercise.

I often thought of creating a few tutorials about this, but not sure if anyone cares... (or if anyone else has done so).

pjc504y ago

There's precisely zero protection; it behaves a lot more like an embedded system. It might be nice to reuse some of the old tutorials for this, but I'm not sure if that wouldn't be too specific.

buescher4y ago

Most of it would cross-apply to embedded. Some of it would directly apply to whatever legacy SBC-level embedded applications out there are still running on DOS. Most people don't want to be in embedded, and even fewer want to do maintenance programming in embedded.

shantnutiwari4y ago

yeah, but embedded is another beast. Lots of different boards/architectures, plus not all embedded devices use an OS, it's mostly (usually?) bare metal programming

1 more reply

pjmlp4y ago

Just get an Arduino or ESP32 and you can do exactly the same.

peanut_worm4y ago

“danooct1” is a great youtube channel where you can see DOS and 32x viruses in action.

lostgame4y ago

Sorry - ‘32x’ viruses? As in like - SEGA 32x?

That’s a bizarre platform to learn to exploit...

peanut_worm4y ago

oops i mean 32 bit I have been playing too many video games lately lol

bombcar4y ago

I assume they meant 32 bit - I.e, Windows 95 viruses and such.

StanislavPetrov4y ago

My first experience with an MS-DOS virus was in the late 1980s with the Jerusalem virus. We wanted to play Nethack during programming class (PASCAL) in the computer lab, and so brought a disk with a downloaded version (1200 baud) from home to install on the school's computers. Needless to say, someone had an infected copy, and before long it spread to most of the machines. It would cause weird things to happen like little blue rectangles to randomly appear. At that time, nobody was familiar with viruses (the computer teacher was actually a math teacher picking it up on the fly), and so the computers stayed infected for months until someone figured it out.

bnjf4y ago

for those interested in the polymorphic libraries which became prevalent in the early 90s, I've got a disassembly of MtE at https://github.com/bnjf/mte/

EvanAnderson4y ago

I'll be interested to look at that MtE disassembly in detail. Thanks for doing that work.

If you enjoyed MtE you might enjoy the polymorphic engine from Natas (published in 40Hex[0]). It's not as complex as MtE. It's a bit oddball in that it appends the decryption routine to the payload.

[0] http://cd.textfiles.com/group42/VIRUS/40HEX/40HEX122.HTM

1970-01-014y ago

When John McAfee saw the first PC virus he knew that stopping them was worth something and started McAfee Associates, which later became a bad thing.

https://www.reddit.com/r/netsec/comments/3hr9f0/i_am_john_mc...

Ingon4y ago

My fascination with viruses actually brought me to programming. After reading a lot about them, one evening I said to my father (who was a programmer) that I want to learn how to write a virus. So, he gave me a book called “The C programming language”… But I never actually wrote one :)

marcodiego4y ago

I really admire techniques that were used on DOS viruses. Resident viruses that could hide themselves (stealth) and able to use boot as a transmission vector were very advanced. This combined with polymorphic techniques made the virus very resistant, basically reboot resistant.

LocalH4y ago

Amiga viruses (especially earlier ones) had a much easier time of resisting reboot, as they could simply hook the CoolCapture vector to remain running. This was an otherwise officially supported mechanism - Commodore’s own “recoverable ramdisk” (RAD:) hooked CoolCapture to allow the OS to even boot from RAD: (useful on floppy-only, high-RAM systems to enhance system performance by literally diskcopying the boot disk onto RAD:, as it was usually set up to be the exact same size as a floppy, although this could be changed). Popular virus scanners like VirusX and VirusZ quickly became able to detect these hooks and optionally restore the vector to the OS default (which would kill RAD: on the next reboot if one was using it, but as hard drives became more common, fewer people used RAD: in this fashion, so it was less of a problem).

mseepgood4y ago

Back then malware was fun unlike today.

j / k navigate · click thread line to collapse

31 comments

drclau4y ago

jzawodn4y ago

> What I miss the most now is the feeling of everything being new, the possibility for exploration and discovery.

Oh, good... it's not just me. :-)

dblohm74y ago

Me three!

seppel4y ago

> I got something infected with a virus named Romania.856 (I will always remember this name)

mycall4y ago

I understand the modifications part, but why would push/pop counts be mismatched?

2 more replies

lbj4y ago

What a great talk, loved everything about that era.

I thought it was hilarious, but it did have some unintended consequences. Especially because that the IT guy in charge actually believed the message. So, also my last virus.

ivan4th4y ago

TigeriusKirk4y ago

Text of the book here - https://web.archive.org/web/20090420151624/http://vx.netlux....

shantnutiwari4y ago

Interesting.

Of course, there is no "practical" use, but it would be really interesting as a learning excercise.

I often thought of creating a few tutorials about this, but not sure if anyone cares... (or if anyone else has done so).

pjc504y ago

There's precisely zero protection; it behaves a lot more like an embedded system. It might be nice to reuse some of the old tutorials for this, but I'm not sure if that wouldn't be too specific.

buescher4y ago

shantnutiwari4y ago

yeah, but embedded is another beast. Lots of different boards/architectures, plus not all embedded devices use an OS, it's mostly (usually?) bare metal programming

1 more reply

pjmlp4y ago

Just get an Arduino or ESP32 and you can do exactly the same.

peanut_worm4y ago

“danooct1” is a great youtube channel where you can see DOS and 32x viruses in action.

lostgame4y ago

Sorry - ‘32x’ viruses? As in like - SEGA 32x?

That’s a bizarre platform to learn to exploit...

peanut_worm4y ago

oops i mean 32 bit I have been playing too many video games lately lol

bombcar4y ago

I assume they meant 32 bit - I.e, Windows 95 viruses and such.

StanislavPetrov4y ago

bnjf4y ago

for those interested in the polymorphic libraries which became prevalent in the early 90s, I've got a disassembly of MtE at https://github.com/bnjf/mte/

EvanAnderson4y ago

I'll be interested to look at that MtE disassembly in detail. Thanks for doing that work.

If you enjoyed MtE you might enjoy the polymorphic engine from Natas (published in 40Hex[0]). It's not as complex as MtE. It's a bit oddball in that it appends the decryption routine to the payload.

[0] http://cd.textfiles.com/group42/VIRUS/40HEX/40HEX122.HTM

1970-01-014y ago

When John McAfee saw the first PC virus he knew that stopping them was worth something and started McAfee Associates, which later became a bad thing.

https://www.reddit.com/r/netsec/comments/3hr9f0/i_am_john_mc...

Ingon4y ago

marcodiego4y ago

LocalH4y ago

mseepgood4y ago

Back then malware was fun unlike today.

j / k navigate · click thread line to collapse