Jump to content

Malware Sample analysis, MS-DOS


Nexusburst

Recommended Posts

Nexusburst

Analyzing a MS-DOS malware (Possibly). Is it possible if I can get more information on this malware as I have not been able to decipher the actual effects and features of the malware ? Findings: Not a PE file, nor an executable or DLL and possibly some form of cascade virus.

Info:  will be marked by windows defender as a Trojan, Unpack the malware in a sandbox to carry out testings, recommended to NOT unpack in your actual systems.

MS-DOS_Malware.zip

Edited by Nexusburst
Link to comment

That is COM file, the very common file format back in the old DOS days. :) It doesn't have any headers, execution starts from the very beginning of file.

It really is infected with Cascade 1701 virus, but I can't determine the exact strain.
Cascade was a file-infecting virus, appending its code to the end of an infected file. You can read short description here: https://wiw.org/~meta/vsum/view.php?vir=266

The closest *useful* source code I could find is this: https://github.com/guitmz/virii/blob/master/0-9/1704.asm - it is not the exact match (Cascade 1704) but is very well commented. It should get you started.
Other source codes (eg. https://github.com/guitmz/virii/blob/master/0-9/1701.asm or https://github.com/guitmz/virii/blob/master/0-9/1701-b.asm) are pretty much useless.

As for analysis environment - IDA disassembler works fine, if you set it to disassemble as 16 bit code. DOSBOX works well as the sandbox for debugging purposes.
Unfortunately I can't recommend any particular debugger, everything from the DOS days feels extremely user unfriendly. Pick whatever feels right to you.

  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...