Jump to content
Tuts 4 You

Malware Sample analysis, MS-DOS


Recommended Posts

Analyzing a MS-DOS malware (Possibly). Is it possible if I can get more information on this malware as I have not been able to decipher the actual effects and features of the malware ? Findings: Not a PE file, nor an executable or DLL and possibly some form of cascade virus.

Info:  will be marked by windows defender as a Trojan, Unpack the malware in a sandbox to carry out testings, recommended to NOT unpack in your actual systems.


Edited by Nexusburst
Link to comment
Share on other sites

That is COM file, the very common file format back in the old DOS days. :) It doesn't have any headers, execution starts from the very beginning of file.

It really is infected with Cascade 1701 virus, but I can't determine the exact strain.
Cascade was a file-infecting virus, appending its code to the end of an infected file. You can read short description here: https://wiw.org/~meta/vsum/view.php?vir=266

The closest *useful* source code I could find is this: https://github.com/guitmz/virii/blob/master/0-9/1704.asm - it is not the exact match (Cascade 1704) but is very well commented. It should get you started.
Other source codes (eg. https://github.com/guitmz/virii/blob/master/0-9/1701.asm or https://github.com/guitmz/virii/blob/master/0-9/1701-b.asm) are pretty much useless.

As for analysis environment - IDA disassembler works fine, if you set it to disassemble as 16 bit code. DOSBOX works well as the sandbox for debugging purposes.
Unfortunately I can't recommend any particular debugger, everything from the DOS days feels extremely user unfriendly. Pick whatever feels right to you.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...