Viewer-Made Malware 1 – Upsilon (MS-DOS)

Viewer-Made Malware 1 – Upsilon (MS-DOS)


Hello, everyone, and welcome to the
very first user-made malware video! Uh, this video is about a virus called
“Upsilon” written by int7bh, and this is actually a full-fledged
MS-DOS virus written in assembly. Uh, It’s not memory-resident so when
we go ahead and run the file, (TYPE) we’ll infect a random *.com file, and it’s up to us to figure out
which one it just infected. (TYPE) But instead of hunting through each
*.com file looking for file-size increases, we’re looking at our old
friend Graphics.com which, as always, when uninfected
is 19742 bytes long (TYPE) and as we continue running this virus, we’ll
probably trigger one of the random payloads it does, however, we will also eventually infect Graphics.com
which will allow us to check out the virus (GARBLE). (BEEP) There’s the random payload now, when we get
sort of a printout of the binary contents of the file. I’m not sure that’s intentional,
but now we get a message: (READ) So pretty much you need to remember what file you
were just trying to run and the directory it was stored in. (TYPE) So the file we were running was
in the DOS directory, it was Upsilon.com and if we hit [Enter], … (READ) So we’re going to go ahead
and keep running it (TYPE) And hopefully, event–
oh damn it, (BEEP) Hopefully, eventually, we
will infect Graphics.com, (TYPE) so I can show you what happens when
you don’t do this payload with the correct answer. So we were right again, “Carry on.”… (TYPE) No, not infected
yet, so (TYPE) OK, so the virus finally
infected Graphics.com Now I’m going to continue running it, as I
just was, so I could show you what happens when you fail to answer
the question correctly. (BEEP) That was unfortunate,
it happened right when I ran it. (BEEP) Come on. So if you fail to type the correct directory, or file
name or whatever, you don’t get it exactly right, (TYPE) this virus…just sort of deletes the
file in a way it can’t be recovered, just sort of scrambles it up
and it won’t work anymore, and it will actually hang up
the machine when you run it. So now after we restart and run
Upsilon, it will no longer work. So now it’s deleted the file, what
happens if we try to run it? As you can see,
nothing happens, so instead of going back to the DOS prompt like it originally
did, it just freezes the machine and you have to restart. So any file that is corrupted in this
manner is pretty much unusable. (TYPE) OK, let’s take a look at the next payload
which activates on 21 September of any year, and we don’t actually need the virus file anymore
now that Graphics.com is infected, (TYPE) as when we run Graphics.com
it will run the virus along with it. (BEEP) So we get a message typed
one character at a time, (READ) and…then it prints out the lyrics of “One-
Winged Angel” from “Final Fantasy VIII” and it wasn’t supposed to go
straight to the random payload, but it did anyway so we’re going to restart and
take a look at the message one more time. Hopefully this doesn’t run
the random payload part. OK, there we go…it
just went back to DOS. So we get the message (READ) and the lyrics to “One-Winged
Angel” as stated previously, but now you can actually read it and now it’s
on the screen for more than half a second. Alright, moving right along…Next
payload triggers on 6 December. (TYPE) go ahead and change the date
and run Graphics.com one more time. So we get a message
on the screen. and, …(GARBLE) told me he was trying
to replicate the Poshkill Windows virus where the payload seen in that
rotates the screen to the left. That one does it very quickly as it was on a
faster machine and does it at the driver level. But this, I actually like quite a bit, it shifts every line
on the screen, one character at a time, to the left, and due to the slow processing speed of
the 386 looks kind of cool as it does it. So slowly, it wraps around your screen. And finally, there is one more
payload that activates on Friday, 13. OK, I changed the date to
Friday, 13, and here we go! So we get (READ) and then a “Tourettes Guy” quote, (READ) and that’s pretty accurate as by the time you’ve seen
this message, had the time to read and process it, the virus has pretty much already trashed
your petition table, as we will see. Partition table. Excuse me…
as we boot up the disk. So by this point your
data’s pretty much gone. (BEEP) and there we go. So there’s no longer a boot sector on the hard
disk, and you pretty much lost all your data. So that’s about it for the Upsilon DOS virus, thanks
very much to int7bh for writing this and sending it in. I’m thinking going forward, gonna try to do every
other Friday, make a user-made malware video. Next one will be Windows-based which
I’m sure many of you will enjoy a lot. The Fridays in-between user-made malware videos will be
for the original malware videos that you’ve seen all this time, classic DOS viruses, Windows worms and all that
stuff that came out in the 90s, 80s, and early ’00s. Once we reach February, I’ll upload
a video and we’ll kinda recap what we’ve seen as far as user-made content goes, and
if this is something you’d want to see more in the future, we’ll just kinda play it by ear so…. Thank you for watching. If you’d like to submit a file of your own to be featured
in a video please check out the links in the description. (CC BY Cana Alberona: Reviews by BlazieDragon, RubberXConcrete and others)

and that’s pretty much it. Thank you for watching!