Virus.Win32.HLLP.Toadie
HTML-код
- Опубликовано: 27 авг 2024
- / danooct1
sorry if I seem a little scatterbrained throughout this video - this virus threw tons of curveballs at me and by the time I got done recording it I was more than ready to be finished. the file I never ended up finding was a log file that the virus keeps of every file and its directory listing that it infects.
This is also my first time using RUclips's auto generated captions to form the basis of the subtitles - if you don't like the way it's structured, or the flow, or anything else, please let me know. I went through them all and added proper punctuation and my personal flare, but it might not be as good as some of the older videos. Feedback is appreciated.
I believe the PE/COFF format is a superset of MZ-DOS, and does not contain any code that specifically checks for Windows.
COFF executables start with an MZ-DOS stub, followed by a magic number then valid DOS code that prints "nope" then exits. When Windows opens a COFF executable, it reads the magic number and immediately skips ahead to the _real_ entry point. At no point does the program itself make any sort of "check" that it is running on Windows.
This allows for hybrid executables such as REGEDIT to exist, where both the MZ and COFF sections contain a complete program, not unlike Universal (PPC/x86_64) and Universal 2 (x86_64/AArch64) programs under Darwin.
In the case of Toadie, I'd love to load an infected executable through Cutter, but I'm pretty sure it overwrites the MZ section and the COFF magic number, with an MZ program that manually performs a protected call into the COFF entry point, presumably after running a malicious payload in MZ mode.
In other words, Toadie is not really a Win32 virus. It is an MS-DOS virus capable of identifying and hooking into Win32 COFF executables non-destructively.
You're 100% correct - this is actually classified as a DOS virus by Kaspersky, but I figured with me running it on Windows the "true" name may be a bit too confusing. Your knowledge and powers of deduction are very impressive and frankly a little frightening. Great comment.
Wow. I have to agree with Dan here. This virus author must have been an above average programmer, as despite the issues, that would explain why the programs still worked on Windows, but in MS-DOS or DOS mode, they took forever to run.
The parallels to Apple's Universal binaries are quite outstanding and frankly, quite freaky.
Amazingly enough, that's still true even for the most modern games. I just tested it in DOSBox, and sure enough Sonic Frontiers spits out the old "DOS mode" message and terminates.
Can someone ELI5?
@@TH-vo6hv some exe files use the start of their code to tell Windows where the actual code is, but old DOS computers get different code that either works as DOS compatible code or tells the program to spit out a message and then exits
The section concerning the virus went a bit over my head, but I beleive the poster was saying that they think the virus will overwrite this code that weeds out DOS computers with a way to make it go to the Windows code automatically, regardless of it being in code that DOS isn't made to handle
One of the main things I've gathered from watching your videos over the years is that pointing a camera at your monitor seems to be a valid substitute for an antivirus considering how it seems to cause malware to stop working correctly
Murphy's law, it seems.
We've seen that many times on Dan's channel! Good for most users, horrible for Dan! ☹️
Ha! Nice
selling my new solution based on this principle, QuantSafe(R) Anti-Virus, A Name You Can Trust(TM)
I love how personal this comment is. Poor Danooct1. I like you just fine, even if malware does not.
"It only makes your PC miserable to use." This part resonates quite well with a buggy experience, for truly it is often worse to have a PC or OS that barely work making its use living hell. Sometimes, if it cannot work anymore, death is a better alternative, that way it doesn't frustrate you every time you have to use it.
Just had a flashback to my deeply broken windows xp computer where explorer would crash for like ten minutes at a time.
@@chupathingy5862 Heh, I can imagine the pain. I still remember my old days of using XP and Vista, they could be such a pain sometimes, the experience was so different a decade ago. It was also "fun" getting random viruses infecting core .dlls, causing all sorts of weird issues.
8:07 "Fool me once, I'm mad. Fool me twice, how could you. Fool me three times, you're officially that guy..." - JonTron
"It's about this point that my eyes begin glazing over and my mind becomes one with the Toadie virus, rendering it useless"
dan is clearly having fun with subtitles and I'm all here for it
The video length and the virus' ability to throw you off its path for however long is honestly more reminiscent of meltingscreen.
Especially if he has to run a bunch of exe files for the virus to take effect.
The struggle to get the virus to activate… classic Danooct1 video.
Memories
Every Windows program is secretly a DOS program too, even today. Usually, it just prints a message and quits. But it doesn't have to be like that.
Opened Photoshop 2022's EXE in a text editor for shits and giggles and the "This program cannot be run in DOS mode." message was present near the beginning of the file. Whack.
The DOS stub is a separate program in it's own right, nevertheless it can be replaced with another stub through a special linker option.
ARP and REGEDIT are valid EXEs for both Windows and DOS mode, so that's why it's not a problem for them, ARP just opens the DOS version of itself instead of the Windows one, just like REGEDIT
a new danooct1 video is the best birthday gift i could've ever asked for. thank you
Happy birthday
Happy birthday, have a great day :)
Almost 20 minutes?!
What did we do to deserve THIS prize!
Always glad to have a 20-minute long danooct1 video
This was a super weird virus! Definitely wasn't expecting it to get to the Kernel so quick!
Thank you Dan for pushing through the setbacks, and thank you for the work you put into these!
@@explorer9049 True, thanks for the informative comment.
@@explorer9049 Thank you for the info! Truly doing great work out here :D
Seeing "REGEDIT - HUHIUEH" was so sudden and funny that i almost dropped my drink. It's just for a frame but that's suspicious, lol
Yeah. The virus outputs all of those weird garbled text on the title bar, but the first one really seems like the virus somehow became self-conscious and started laughing maniacally as it destroys your PC.
Your videos have the most pleasant subtitles, your effort is greatly appreciated. Your voice is also very soothing.
I can't believe that Toadie literally toasted the computer LMAO
When the virus does it job so well it completely bricks the kernel, now that I've never seen happen in a danooct video before LOL
I have been subscribed to you for a very long time. Every video is great and done in that old style that I enjoy. Thanks for the years of entertainment and here's to many more!
Also, I've seen the kernel error before, it's so rare. I got it by randomly deleting registry entries.
Two Danooct1 videos! It really is the Christmas season!
Always love the videos when they drop man.
This virus was...a trip, to say the least. Possibly one of the most weird set of payloads, intentional or otherwise, that have showed up in your videos
I don't have any interesting technical insight to contribute, but I just wanna say that you and your videos are seriously appreciated. I've always been ecstatic whenever you upload.
0:48 Cause I’m the Taskman, yeahhh I’m the taskman 🎶
*I'm the task man! I check tasks!*
Don't ask me what I want it for
_Ha haaa, Mr. Bill Gates_
If you don't want to pay some more
_Ha haaa, Mr. Jobs_
It's so nice to see you still continuing to make videos on viruses even now. I used to be so fascinated with all your videos many years ago. I remember watching you and some other guy with a Zapdos pfp for a lot of virus content back then (no idea what his channel was called anymore). You and other virus channels really made my childhood and figure out pretty young to avoid getting viruses, while also making me a bit scared of using computers lol
The guy you're thinking of is rogueamp! You can always just search NavaShield if you forget his name, and he'll be the top result!
@@GaomonAndLucario Thank you so much!
My mind is blown by the captions explaining each hardware and software sound. Thank you for doing this still after all these years
You're much more active again! I always love your humor in these videos, keep em coming!
I LOVE That you're still doing these things man, I remember you talking like 9 tears ago and showing off trojans and viruses. You're admirable.
wake up babe new monthly danooct1 content drop
It's always a good Friday when danooct1 uploads!
It's not a danooct video if the virus doesn't work on the first try. So glad to see you back, though!
your anger is immeasurable yet my day is fulfilled
BABE WAKE UP NEW DANOOCT1 VIDEO JUST DROPPED
2:25 The rush of nostalgia from that boot-up sound!
Welcome back, Dan. I'm so excited to listen to you again.
"It's always good to throughoutly infect your machine whenever possible"
-Dan
I did not expect this upload, how incredible.
If you think about why the kernel got infected so quick it makes sense
He rebooted in MS-DOS which wasn’t a full reboot
Therefore he booted into the KERNEL of windows which didn’t kill any other applications that can run in DOS and since the virus change’s applications from windows into dos applications the virus itself has dos code
thank you danooct1 for another fantastic vid where the virus operates exactly as planned
The unpredictability of these videos triggers the anxiety these viruses caused when you didn't know what was going on with your computer. Luckily you cannot get an infection via RUclips video, so it's only a simulation.
5:05 "It's always good to thoroughly infect your machine whenever possible"
LMAO
Another Danooct1 video this year?? Amazing gift.
danooct's VMs in a nutshell:
"Oh, what a beautiful day, fresh install and... Oh f***, not this shit again. Yet another round of viruses."
This one isn't a VM though. This is the Gateway PC he used in some of his other videos, both recently and in the Magister & CIH revisited videos (the BIOS wasn't killed in either of those latter two videos).
I like the extra flavour found in the closed captions.
Danooct, your the best. Your the reason I became interested in cybersecurity and malware.
If it werent for your videos peaking my interest, I wouldn't have the career path I have today. Thank you so much.
Should start a new series of old anti viruses that can fight old malware and such.
I actually enjoy the dead-air moments, adds to the depth of the video, keep them more often if possible :P I'm sure it will make editing a bit more relaxing aswell
Thank you for capturing the real PC rather than VM, its way more introducing!
good to have you back lol. loading the kernel
i'm glad to see your back, especially with a longer video
Weird. If the VXHeaven archive is correct, Toadie.6810 isn't just "corrupt", it's not even Toadie (or an MS-DOS executable, for that matter)! It's some part of a (mIRC?) script which tries to DCC a file from the Windows directory to everyone upon joining a channel. (I'd post it, but even though it's literally just some random script fragment I'd still feel kinda dirty, so yeah)
You can also see this when you're looking at the 6810 ""binary"" at about 0:28 as the size is only 142 bytes, far from the claimed 6810.
Yeah a new virus video!!
That seek test never gets old 😍
Good to see you're still uploading, great stuff as always
These videos are better than ASMR to me.
When a virus is so good that it kills Windows in a Dan video. It's amazing.
I got disappointed to hear the Gateway seek test instead of the Packard Bell seek test. But oh well, still a cool video! Nice job, Dan!
Pascal? Never heard of it. I still keep enjoying on your videos even this keeps going. Never give up Dan!
It's an old programming language developed by Niklaus Wirth as a quite verbose alternative to ALGOL, it was later popularized by the Delphi IDE and it still goes strong thanks to the Free Pascal project.
Me, being 26, I started with some pascal programs when I was like 13-14, so 12 years ago it was somewhat relevant :v
@@malwaretestingfan It was originally meant for teaching programming, but apart from Toadie, it really failed to be useful outside of that.
@@cameronbosch1213 Failed to be useful? Pascal is still a useful language for developing software. The TIOBE Index ranks Delphi/Object Pascal at the 17th place by programming language popularity.
@@malwaretestingfan Still, I think Java, Python, C/C++, & Rust are still better to know than Pascal.
I think the pace of the auto generated subtitles is good. The big difference to me from the manual captions is that it usually splits up the sentences into 2 lines for each caption instead of being all on one line and spills over between sentences often as they're said out loud, but it's still fine to read. I want to mention 8:01 though for a specific instance where I personally feel like the quoted message should be all together instead of leaving the last word "mode" to the next set of captions.
Glad to see a new video! Welcome back! :)
missed ya man. keep up the great work
I like the George Bush reference especially considering I could see him getting his computer infected with something like this back in the day.
Do you manually reinstall Windows everytime you make a video?
Just take an image (a dump of all the partitions) of a fresh install, and when you want to reinstall, connect the drive into your computer using an external HDD enclosure and re-image it.
Would the original Toadie virus have that warning message when launching or was that added in by a software analyst?
big fan for a couple years glad you’re still doing these:)
19 minutes of content, thank you
Good to see you back Dan. Hope you’re alright
BABE WAKE UP NEW DANOOCT JUST DROPPED
Lol that dubya quote. Dan, you’re a true Texan.
Hey Danoct, just in case you didn't know, you can save a lot of time by installing Windows onto a CF Card instead of a traditional hard drive. That way you can clone the contents of a fresh Windows install and copy them over for each new video, that way you don't have to keep going through the windows setup process.
As if Norton ghost never existed
The W reference 8 minutes in was beautiful
8:07 nice impression of GWB there
sir, thank you for the malware knowledge over the years, but sir can i pls say that your voice is so calming
I tried running this one on a Windows XP 32 bit virtual machine a while ago, and it somehow worked, but barely. It seems to infect some files in the current directory and executing those shows the command prompt with the weird title and removes their icon, but seconds later they seem to get restored (they regain their icon and original size, and no longer launch the command prompt). Only one file got permanently infected (chrome.exe, yeah, Google Chrome), and the payloads shown in the video worked, but just for that file. Still it amazes me that it can run on a NT based system, because I believe most DOS/Windows 9x viruses like CIH don't work on NT versions of Windows.
Seek test is like music to my ears. Good to have a new video, thank you!
The auto-generated subtitles work pretty well 👍
2:25 Good old days :(
Return of the King
14 years later and he still doesn’t use a screen recorder
And he never will haha
Love these, thanks for continuing to upload
It must be Christmas! Dan released a second video!
no way, bro's alive
Toadie: The virus SO powerful, it infects your RUclips videos 20+ years after its creation!
Year 2022 and Windows still hides file extensions by default.
awesome video, appreciate the captions :P
Slightly weird the amount of steps you have to go through to get this into your system. What kind of person would infect their computer with this? IRC you said is a vector but I can't imagine many people back in the day would get this going unless a kid was playing around with the executables or something to that effect. I remember renaming Doom95.exe as a kid and I got a smack for that.
do you also play normal games on the machine's outside of doing a virus thing?
He has once again risen
bushism a little past 8:00 is highly appreciated
another banger from danooct1 ty bro
new danooct (real)
yay i'm your favourite viewer :D
you told that in the subtitles
also great video buddy!
I wonder what this might do on Wine or an NT system.
my oshi just posted omg
Danooct1: Toadie
Actuality: Poisonous.Toadie
its back
It wasn't written in Pascal. It was written in ASIC V5 and Assembler in tasm but later versions nasm. And that box has nothing to do with Toadie. You might be wondering How I know this about it? Well you did a video on my virus. I can answer any questions you have? About it if you'd like me to do so
you have some beef with.. certain viruses..
i have a fun challenge, what's the eariliest video, that dan has shown beef with the virus?
This man is like a santa
What the hell happened to Rogueamp? He last posted in 2017.
How danooct1 get's a virus file?
I want to try the virus through VMware
He gets it from specialized sites. I won't say exactly where unless he's okay with it (he probably isn't, so I won't).
Malware isn't a joke though; while many older pieces of malware won't really work in newer versions of 64 bit Windows, you probably shouldn't be playing Russian Roulette with your host.
@@cameronbosch1213 Especially considering a select few pieces of modern malware can sometimes slip through the cracks and have an effect on the host system
@@VreyIsGrey Most older ones won't work or work as intended, but yeah, some of the newer NT ones can still cause issues, so I would avoid testing malware unless you're okay with regular backups to avoid serious data loss.
LOL I am sure many will not appreciate your Bush quote.
I like that you often run these different malwares on original hardware, but I'm curious as to why you don't use a VM or Qubes?
Because most of these malware wouldn't really get anywhere today, especially those of the DOS caliber. They pose generally no harm to modern, NT systems.
Surprised there's still viruses to be documented.