Over the weekend a number of news organizations ran with short stories on the Malware Museum at the Internet archive, a listing of some old MS-DOS computer viruses that came with visual or audio effects. The hook is you can now view these old programs without endangering yourself.
True, but only in a sideways manner. MS-DOS viruses were 16-bit. They don’t run on modern systems. And even when you are free to download them (working DOS and boot sector virus code is still archived widely around the web), your browser will stop you first (Chrome in particular), Windows Defender second, and your installed anti-virus program, third.
So what’s been done at the Internet archive is the piping of the screen effects of some old computer viruses, shown by old MS-DOS programs made to do just that and run in DOSBox, a set of programs that allows you to run old 16-bit PC programs on a variety of modern platforms. (Mostly, DOSBox was made so you could play old and obsolete games.)
Getting down to the nitty-gritty, the programs on-line at the Malware Museum were typically made by anti-virus researchers. The resulting screen displays make much of it clear. Often what was done was a surgical removal of the display code, or an emasculation of those parts of the virus responsible for replication and the destructive part of the payload, rendering the code inert.
What is and was lost in most of the short pieces on the matter is that the old PC viruses with visual or sonic activations did not give you the entertainment all the time, or sometimes even very frequently. They were set to various triggers, date or time counts. The reason for that, generally speaking, was simple.
The virus that gave itself away with a performance trick was a virus that was going to be removed.
In the early Nineties I wrote a file virus called Acme. It searched out .exe files on your hard disk and copied itself beside them, taking their name, except as a .com program, taking advantage of the DOS operating system rule that when the name of a program was given, the operating system would load the .com version of it in preference to the .exe. This guaranteed Acme would execute before the file it was a mimic for.
When Acme could find no more programs to infect it would play a few musical notes in an endless loop. This guaranteed it was always discovered. And, eventually, I got a call from some kid who had infected the family’s PC, which would now do nothing but play music. The virus was easy to take off a system without harm once you knew what it was.
All the programs at the Malware Museum date from the very late-Eighties and early Nineties. The displays are from file-infecting viruses and boot sector viruses, the latter which were the most easily and widely spread. The reason again was simple: Vectors. Vectors, another word designating how diseases, real world, or digital, are spread.
With old PCs, one vector was shared disks and diskettes. A virus that infected the first sector on them stood the best chance of being spread around. Another vector was infected program files. But infected programs, or utilities, apps they’re called today, were only effective in spreading computer disease if they came in contaminated packages or shareware, the latter of which was largely distributed online, often through networks connected by telephone lines.
So when an old virus infected diskette or floppy was left in your PC overnight until you turned it on the next morning, the first thing that happened was that your hard disk was infected. And after that, every subsequent data disk put in the machine was contaminated and able to spread the program.
One story on the Malware Museum reads:
The good news is that you can peruse a pretty sizable collection in the Malware Museum now without worrying that they’ll wreck your machine. Like the night-forgotten PC games it has collected over the years, the malware plays within browsers. To a point, they’re even somewhat interactive …
Like The Next Web notes, some of them are even kind of gorgeous in their own spartan way now that they’ve been pacified.
The last part’s stretching it.
And the graphic chosen shows one of the displays, clearly labeled as a virus demonstrator.
Now comes the good part, personal history.
And one of the issues of the old newsletter delivered a set of programs called Urnst’s Scareware. It was a set of four of the common virus displays, sans all the crap that warned users they were just virus simulators.
Urnst’s Scareware is still available on the net. And the programs are labeled as computer viruses, although they are not.
If you try to download the file your browser will get in the way. Danger! Danger!
Even if you bypass the warnings, Chrome will snatch the download away from you, forcing you to call up its downloads “history” and “recover” the file. At which point it plaintively asks if you want to get hurt, “plenty.”
Even if you say yes, Windows Defender will then take the download off you.
And then you must call up Defender and turn it off for a minute. (This, in and of itself, is a bit amusing if you know the history of anti-virus and Microsoft. When Urnst’s Scareware was distributed Microsoft Anti-virus was about the worst anti-virus program, ever. It was a sort of crippled version of a program offered by Central Point, a company that was bought and killed by Symantec in the mid-Nineties. Today, however, Microsoft is very much better at anti-virus. Windows Defender is actually good.)
However, you can also view what Urnst’s Scareware did here. Auf Deutsch.
On display, the effects for the Den Zuk boot virus, the Ping Pong and Cascade viruses. Not included, the Jerusalem virus payload mimic, which instigated a minor system slowdown and a slight disruption of the old ASCII screen with a small empty patch.
Finally, the reason why I made Urnst’s Scareware. So you could scare people without hurting them! Not all of the programs in the Crypt Newsletter were quite so benign.
So you think you’re pretty hot stuff when it comes to tech, huh?