The Cascade virus was a resident computer virus written in assembler, that was widespread in the 1980s and early 1990s. It infected COM files and had the effect of making text on the screen fall down and form a heap in the bottom of the screen. It was notable for using an encryption algorithm to avoid being detected. However one could see that infected files had their size increased with 1701 or 1704 bytes. In response, IBM developed its own anti-virus software.
It first appeared on the MS-DOS system in the late 1980s.
ALIAS: BlackJack, Falling Letters
SIZE: 1701 or 1704
TYPE: Resident COM-files
REPAIR: Yes
Type: File virus
Date Discovered: 1987.10.01
Place of Origin: Switzerland, Germany?
Source Language: Assembly
Platform: DOS
File Type(s): .com
Infection Length: 1,701 bytes
Summary
The Cascade virus was one of the most common viruses during the early 1990s. Nowadays it is almost extinct.
Additional Details
Cascade is often not detected, because it produces no obvious effects. In the original version, the virus contained code that was set to "go off" between Oct. 1. and Dec. 31. 1988, shortly after an infected program is run. The effect is actually quite amusing - the characters on the screen fall down and end in a heap on the bottom.
There is a bug in some versions of the virus - it seems that the author intended the virus to infect all computers, except those from IBM. However, it did not work as planned - the virus would also infect "true" IBM machines.
VARIANT: Cascade-17Y4
This variant, which is reported to have originated in Yugoslavia is almost identical to the most common 1704 byte variant. One byte has been changed, probably due to a random "mutation". This, however, has resulted in a "bug" in the virus. Another mutated variant is also known - it infects the same file over and over.
VARIANT: YAP
Here two instructions in the decryption routine have been switched, which does not affect the operation of the virus, and seems to be done to prevent detection by some particular scanner.
VARIANT: Jo-Jo
This is basically a patched, non-encrypted variant of the Cascade virus. It is reported to have originated in Barcelona or Israel. It contains a check for the IBM copyright message at address F000:E008, just like Cascade. The virus contains two text strings:
Welcome to the JOJO virus.
Fuck the system (c) - 1990
VARIANT: Formiche
This variant is much longer than the others, over 6000 bytes. It has not yet been analyzed.
VARIANT: Cascade.1701.K
At the end of August, yet another new variant of the old Cascade virus was found in Oslo, Norway. This new variant was found in two different companies at almost the same time.
All in all, the Cascade family has approximately forty known members. The new virus infects COM files when they are executed. The virus is not markedly different from the original Cascade.
Although the new variant bears a close resemblance to the original virus, it is clearly different in one way: it never displays its activation routine, the dropping of letters to the bottom of the screen. It is, therefore, more difficult to notice. Other than that, the differences between the original virus and the new variant are minuscule - the creator of the new virus has probably used the original source code, but a different assembler compiler.
0 comments:
Post a Comment