35C3: A Deep Dive into DOS Viruses and Pranks

Oh, the hijinks that the early days of the PC revolution allowed. Back in the days when a 20MB hard drive was a big deal and MS-DOS 3.1 ruled over every plain beige PC-clone cobbled together by enthusiasts like myself, it was great fun to “set up” someone else’s machine to do something unexpected. This generally amounted to finding an unattended PC — the rooms of the residence hall where I lived in my undergrad days were a target-rich environment in this regard — and throwing something annoying in the AUTOEXEC.BAT file. Hilarity ensued when the mark next booted the machine and was greeted with something like an inverted display or a faked hard drive formatting. Control-G was good to me too.

So it was with a sense of great nostalgia that I watched [Ben Cartwright-Cox]’s recent 35C3 talk on the anatomy and physiology of viruses from the DOS days. Fair warning to the seasoned reader that a sense of temporal distortion is inevitable while watching someone who was born almost a decade after the last meaningful release of MS-DOS discuss its inner workings with such ease. After a great overview of the DOS API elements that were key to getting anything done back then, malware or regular programs alike, he dives into his efforts to mine an archive of old DOS viruses, the payloads of most of which were harmless pranks. He built some tools to find viruses that triggered based on the system date, and used an x86 emulator he designed to test every day between 1980 and 2005. He found about 10,000 malware samples and explored their payloads, everything from well-wishes for the New Year to a bizarre foreshadowing of the Navy Seal Copypasta meme.

We found [Ben]’s talk a real treat, and it’s good to see someone from the current generation take such a deep dive into the ways many of us cut our teeth in the computing world.

29 thoughts on “35C3: A Deep Dive into DOS Viruses and Pranks

  1. I was a Sr. Systems Developer at a large computer company – the Person that they gave all of the unsolvable problems, so I got the diagnostic for viruses nobody could track or destroy. Things like code changing itself by re-writing itself because the memory handling had a bug. One of the worst viruses I found delivered a payload under 40 bytes that would format your MBR and backup area, destroying any ability to restore the system, wiping the CMOS area afterwards – so basically it bricked the machine without any traces to follow. Back then they didn’t have the really good utilities to fix this stuff, some drives you needed to format using special utilities, Norton Utilities was about it. We had computer labs with some computers having in-circuit debuggers to track this stuff, using another computer to emulate the processor. A serious tool if you knew how to use it. But mostly, the viruses were fairly non-damaging.

    1. I remember the MBR one from years ago. I can’t recall if Mace Tools existed at that time but I recall having to manually rebuild several MBRs due to that damn code.

      My favorite DOS virus though was the Ambulance Virus. What would happen is that one by one the text on the screen would drop to the bottom line as if falling. Eventually after they all fell, a little ASCII ambulance came across the screen and collected them all leaving you with a blank screen.

      The best post-virus prank though was the “I’m looking at porn!” virus on Windows XP. It was awesome. You’d send the file to someone. They’d run it. For 20 seconds or more it would do NOTHING. Then it would jack up the system volume and play the audio of someone saying “Hey! Hey! I’m lookin at porn over here!” XD

      1. I remember the days of manually fixing the MBR and FATs of early dos systems.

        I used to poke around dos with debug to see it’s inner workings.

        One day my boss (who I often teased) was watching when I was about to fix a system with a MBR virus and I typed fdisk /mbr and he was amazed.

        He asked if I had modified fdisk and I said no, it’s an undocumented switch.

        He asked were you find out about undocumented switches and I told him that you can’t find out about undocumented switches because they’re “undocumented”.

        He stood there beside my bench, still and looking very confused as I walked away.

        I was thinking – Another one to me. :)

        1. Well, if you knew anything about BIOS level stuff, COM/LPT or anything else – you were pretty much a God back then. The mainframe People thought PC’s were toys, until they were forced to use them because their departments couldn’t get time on the company mainframe. They pretty much treated anyone who could develop on them like crap. I wrote TSR’s for a number of years after switching from CPM/MPM assembly to DOS using undocumented DOS as a reference for accessing the SDA and other areas, that would have been 91′ I think, but I worked in assembly from 85 on under DOS. I mean DOS 2.0 was pretty much plagiarized from Digital Research’s version – licensed by Gates, and having a few system calls added (although it might have started at 3.0 – that was a long time ago). And Windows was sort of a joke at that point because of the number of applications was small – Windows 2.0 if I remember – it came on like 30 floppies. They had Desqview for multi-tasking at that time as a competitor. Some of the solid platforms? NT 3.51 was solid, anything prior to windows 2000 pretty much gave you BSD when used very long. But DOS 3.3 was solid. DOS 4.0 was the biggest flops in history – you had to re-format your hard drive and reinstall all the programs. And then they found out it was really incompatible since the SDA area was a different size. Idiots.

          1. I remember my brother and I would avoid a reboot by killing explorer in Win95, forcing it to restart and generally stop wigging out. 98SE was actually fairly solid, remember switching because the game Oni required it. 2000 upgrade same story: multi monitor support in Serious Sam needed 2k/XP.

            Win 3.11 would install on 10 disks iirc, plus 2 for the networking, and one for printer drivers.

          2. Yeah but the Windows 3.1 disks (3.11 being For Workgroups IIRC) were 1.44MB. Windows 2 was presumably 720K. A combination of Microsoft not being able to code for shit, and not yet having bought up half the world to include as part of their “operating system”, means I can see 2 and 3.1 not being that far apart in size.

            That said, I have a ZIP of Windows 2 here somewhere, works in DOSBox or even just in Windows if it’s the right version. Only a shame I can’t be arsed to check.

  2. Quote [ Dan Maloney]: “Back in the days when a 20MB hard drive was a big deal and MS-DOS 3.1 ruled over every plain beige PC-clone”

    That narrows it down to a very specific time. So specific in fact that I think you may have the DOS version wrong.

    The 20MB HDD you mention would have been the Seagate Technology ST-225 20MB MFM HDD that was first made in 1984.

    PC DOS 3.0 was released in August of 1984 and PC DOS 3.1 was released in April 1985.

    I remember converting the ST-225 20MB HDD from MFM to RLL to get 30MB out of the 20MB disk.

    Also, I was stumped for a while when you mentioned Control-G. I just couldn’t remember what this did in DOS. I didn’t get an answer with google and then it dawned on me for a different reason.

    Control-G or BEEP in DOS was from en era long before. Even long prior to computers, Control-G was used by teletype machines to ring the BELL. Control-G then became a part of early teletype standards and then wet on to be a part of ANSI terminal standards for terminals like the VT-220.

    Some time a lot later it became part of DOS.

      1. ^ This, precisely.
        I remember the era when the ST-225 and DOS 3.1 where kings: right around 1991 when I bought my first PC for $30 at a yard sale. It was a PC-XT (genuine IBM! Inferior But Marketable…), with a 10 meg full-size hard drive, Hercules monochrome on a green-screen, and a whopping 256K of RAM. Oh, how I envied those guys that had their 20 meg drives and a whole 512K of memory! (Having 640K was just being pretentious) I eventually managed to upgrade that poor machine to 640K before finally upgrading to a blazing fast 386DX-33 in 1993. I ended up running a BBS on that 386 using Desqview because it was my only computer at the time.

    1. It wasn’t warm and fuzzy for me.

      I went to an electronics technology museum that had all pre-computer age stuff.

      I was wandering through being nostalgic and remembering the technology of that era.

      Then that moment happened.

      I looked at the side of a large rack and written there was my name and an office phone number that I had decades before. I used to service that exact peace of equipment.

      I’m sure I aged 30 years in that moment.

  3. When I had just started my first job as a computer programmer, “the guys” installed a hacked copy of command.com that would only traverse and list directories. Every other command was disabled. Such fun!

  4. Ah, the days of fast and easy pranks, like renaming it to command.com, so nobody but you could start the system, and you could say, annoyedly, “Just type in the name, guys! It’s right there!” as you hide the extra keystrokes when you type it in for them. …or using XCOPY to create an empty directory structure for the drive inside a folder, then using SUBST to point the drive letter to that folder so they think that all of their files are gone. Good times!

  5. When I was working in a computer repair center I kept a 5W 1 ohm resistor that was connected to a 4 pin molex socket (5 Volt pins).

    When someone walked away from a computer they were working on, I would put some light machine oil on the more porous side of the resistor and plug it in to a spare power connect in their PC.

    After they returned and powered it up it would work fine but there was soon a burning smell and soon after – smoke.

      1. Similar to what we’d do back in electronics lab; connect carbon resistors to the bench power supplies which would all turn on with the room lights. We’d also sneak a length of aquarium air tubing into a machine from the rear of the bench and when (the mark) worked on it, blew smoke through the air tube.

    1. If you clap your hands together just right you can get a loud high-frequency snapping sound that mimics a short-circuit arc. Do this while a repair tech is working on an electrically live piece of equipment and the following scenario occurs:
      1. Tech leaps backwards.
      2. Tech fails to smell smoke.
      3. Tech turns to software person (me) and says, “That was YOU, wasn’t it!”
      4. Software person gets opprobrium_score += 3.

  6. Circa 1989, an in-law gave me a bunch of bootleg floppy’s from his trip to Asia. Left a floppy in drive A on the XT. Next reboot ,Message: “Your PC is now stoned” It wasn’t too destructive, but did manage to spread itself, to anymore floppy’s, as most viruses did

  7. That remebers me some command you could use on Win95/98 to overwrite the IRQ-table and instantaneously freeze the system. And i had some fun too messing around with autoexec.bat

    1. How about “Norton Guides” with a TSR popup list of all DOS calls and BIOS calls, along with memory addresses – And you could build your own library add-on with things like your own assembly routines instructions and interface registers. I still have my working copy. They also had a C library and one other that I recall. One of the best product I used back then.

  8. Blinkeys? Caused the caps, num & scroll leds to blink. There were other gag tsr’s that randomly turned caps on/off or made the system beep or if there was a speaker made fun sounds. RIME and Fido actively discouraged ANSI/other code in taglines for a couple of reasons. Not only was my “Wake Up (BELL)” tagline annoying, ANSI sequences could be used to remap keys/keyboards. Having the F key output “F*CK OFF” on screen when pressed was harmless, but remapping another key to issue a format or del command could make a mess. Now get off my lawn.

  9. FOSSIL worms, Fortran and COBOL and QBASIC programming, EasyWriter, DEBUG.COM based tooling, dumping and writing to BIOS, making COM dissembler tooling to look at game DRM and code, early uses of stack smashing(people were using them in piracy before the phrack articles), hiding stuff outside the partition etc..

    These are my memories from the DOS sessions of the eighties and early nineties..

    1. Cracking game protection by asm tinkering, and dicking with the machine state, including the stack, goes back through the Atari ST and Amiga, to the Spectrum and Commodore. Basically as long as there’s been home computers, or at least since some smarty-pants had the idea “HEY! If we do xxxx, our game will be protected against pirates, AND NOBODY WILL KNOW!”

      There were tools for the 8-bits like Multiface. 95% of their use was just in snapshotting games, to save to a better format than tape, if you had one. But the more advanced ones had 8K RAM on board, hideable from the system, into which you could load a debugger, or for those less smart of us, something to search for certain values in RAM, then continue the game, lose a life, then check those same addresses. Clever stuff with simple hardware, that led to a war that still goes on today, with people using MCUs and FPGAs to hack game consoles.
      .

  10. One of my favorite computer pranks came after the days of DOS. I would take a screen shot of someone’s windows desktop and set it as their wallpaper. Nothing looked different until you tried to move the icons around. A coworker came to me and said “I’ve got a strange problem with my computer. When I move an icon on the desktop it moves and I can put it in a new place on the screen but there’s still an identical icon where it had been. And I can’t select it or delete it or anything…’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.