My modern disassemblies of paleolithic (DOS-era) malware!
CC-BY-SA-4.0 License
WARNING!: This project is on hold! Reverse engineering DOS malware is fun, but it's very time consuming, and I can't dedicate time to it now.
Palware: Paleolitic Malware disassemblies!
This repository contains my disassemblies of DOS viruses.
(For the younger, "DOS" was the dominant consumer operating system of the 80s/early 90s).
No.
There are several reasons:
Reverse engineering is a thrilling activity (at least for people interested in low-level programming), as it's an investigative type of work that slowly unfolds.
Malware - at least, the more sophisticated subset of it - is a creative, ingenious, wide-ranging, and sometimes impressive product.
Moreover, reverse engineering is a mentally demanding activity, due to requiring continuous and complete attention; depending on one's interests, this can be simply pleasant, or productive, or both.
In reverse order of completion:
Virus.DOS.BadBoy.1000.a
: memory-resident COM-infector
Virus.DOS.LoveChild.488
: unremarkable memory-resident COM-infector
Virus.DOS.Tiny.163.a
: unremarkable memory-resident COM-infector
Virus.Boot.Stoned.March6.t
: unremarkable variant of Stoned
Virus.Boot.Stoned.a
: unremarkable boot infector
Virus.DOS.November17.855.a
: unremarkable, but competently written, memory-resident, COM/EXE infector
The virus sources are mainly the VX Heaven collection and Open Malware.
The binaries are disassembled via IDA Pro, and converted/processed to a NASM-compatible format (via vx_convert_ida_to_nasm.rb
), which is then statically analyzed.
Before the first research session, the disassembly is compiled back into a "reference" binary, whose purpose is to make sure that no errors are introduced while researching, in particular, in the conversion of numbers to identifiers/operations.
The vx_compare.sh
script assembles the disassembly, and performs a binary comparison against the reference file,
then visualizes a comparison of the differences, if any is found.
The original file can't be used as reference, because the assembler introduces differences (without functional effects) due to different opcodes which can be used to encode the same instruction, eg:
(33FF) xor di,di <> (31FF) xor di,di
the reference file has such changes already introduced, so comparing against it will not show them.
List of potentially interesting viruses, in order of complexity: