Virus.DOS/Win.Gram

Virus.DOS/Win.Gram


Hello everyone, did you miss me? It’s been a while, so today, we’re
taking a look at an interesting virus that affects both
MS-DOS and Windows 9x. It’s called Gram
and before we run it, we have a few dummy
files to take a look at here. We can see that we have some
.exe files notably Paintbrush, Notepad Calculator They are all present and work. And we also have a couple
MS-DOS .exe’s Mem and Power. Both, don’t really work since
they are meant for MS-DOS 6.22. But, they’re here anyway
– to prove a point. We also have Command.com, which brings up our Command Prompt,
when we’re running Windows 98. and this all works as intended. At least for now. Close out of this. And now we can go
ahead and run Gram. And Gram is interesting,
because when we run it, it has now infected every
.com file that it can find, and we’ve run it from
the C:WindowsSystem directory but it also
activates recursively, so it moves up a
directory to C:Windows and then to the root
C: Directory and affects everything it can
find in all of those directories. It’s supposed to also infect .exes. However, Mem still works fine and all
of our Windows executables are also fine. So it doesn’t really manage
to infect DOS executables, and it certainly does not
infect Windows executables. But, we can’t forget the .com files. So, if we check command.com
now, it no longer runs properly. “This program requires
more conventional memory.” “Unload drivers or memory-resident
programs that use conventional memory,” “or increase the value for
Minimum Conventional Memory” “in the program’s
Memory properties” “sheet.” That doesn’t sound good. At this point Gram has totally much
pretty ruined your install of Windows and you’ll need to replace
Command.com and Win.com. But there’s one other payload
that we can check out that nobody’s probably ever
actually seen in the wild. If Gram happens to be run
on the 15th of any month, we get a nice little graphical payload. And when we run Gram, we get the “Serialkiller PresentNs
The Virus: Gram Reaper” “greetings” “to all Codebrekaer Members
Serialkiller (CB ’98)” And this just goes
away when we hit enter, and now if you look in
our root C: Directory. All of our .exe files
have been deleted. They are permanently gone,
and we cannot recover them. Bummer. An interesting side effect of
Command.com being overwritten, is that if we shut down and
try to restart in MS-DOS mode, It just boots to “Windows
is now restarting…” and eventually… We simply reboot directly
back into Windows. And can continue working normally
as we would any other workday, school day or what have you. Programs still work fine. This install is totally OK. Until, we hit restart. When we restart normally, our computer no longer
boots up correctly. We see that our Command
Interpreter is indeed corrupted, and we cannot continue
to load Windows. You know, I thought the third
time might be the charm, but, apparently it’s still broken. And that is about it for the Gram virus. I suppose you could pretty
strongly consider this just a DOS Virus but it seems to work
pretty well on Windows, as well. It still infected files, well, I mean it breaks them entirely, but that counts as infecting in some
cases and it didn’t just totally crap out. Despite the fact that we were
running it on Windows 98. So that is about it, thank you
very much for watching. Thanks for your patience as I’m
actually starting a new job next week, so that’s exciting! And hopefully won’t take out too much
time for making videos as I transition in my career. So once again thank
you for watching. Take care.