I grabbed 30 random DOS malware samples from my collection, rolled via urand over Python list, and tried to figure out how they work.


1x zipped EICAR
4x working but effectively useless ("yeah you wiped the first 100 sectors of the drive... but you wrote their prior contents. Literally nothing's changed...")
10x CPU hang
10x crashdump back to DOS
5x crashdump back to DOS but ERRORLEVEL=0 so normal termination despite real errors being given?

also make sure SOURCER is disassembling using 486 or Pentium opcodes or it misses some 286/386 opcodes and will count half the program as data.

  • 1
    So what was the purpose of this malware? Doesn't seem to give the author any advantage unless he was the local computer repair guy
  • 0
    @matt-jd that's the question yes
Add Comment