421 reads

Virus.DOS.Kuku: Recreating MS-DOS Malware in Python.

by Matěj SmyčkaJanuary 15th, 2024

Too Long; Didn't Read

The original KUKU virus was written in TURBO-BASIC, which is even more painful to read than regular assembly. Kuku means in multiple Slav languages something like "I gotch you" The source code can be found in the VX Underground malware collection.

featured image - Virus.DOS.Kuku: Recreating MS-DOS Malware in Python.

Welcome, hackers. This article documents how I recreated old malware named Kuku in Python.

Python? Who makes malware in Python? Yes, there are a few, but here, Python is absolutely justified because the purpose of this virus is to annoy the victim, not to be efficient or fast.

Intro-rant

I came across this 10-year-old YouTube video where malware from 1991 is shown. At that time, malware was as funny and annoying as it should be. Nowadays, cyberspace is packed with profit-driven spyware and ransomware, with little room for trolling. Malware is not what it used to be, and capitalism is to blame.

Disclaimer

It's crucial to emphasize that the intention behind this guide is purely educational, and I do not endorse malware development for malicious purposes. With that out of the way, let's dive into our almost-educational retro maldev guide.

The original Kuku!

The video shows Eastern European malware on MS-DOS that randomly overwrites files and displays more and more colored KUKU! Popups, this is a bit destructive, but more than that, it's totally annoying.

Cuckoo

As for the name, “kuku” or “ку-ку“ means something like "I gotch you" in multiple Slav languages. It is also the sound a cuckoo makes

You can view the original source code in the VX Underground malware collection. However, it was written in TURBO-BASIC, which is even more painful to read than regular assembly.

See this snippet:

data"n$=string$(8,63)+chr$(46)+chr$(66)+chr$(65)+chr$(83):dim dta%(32),find%(32)
data"for a%=0% to 32%:dta%(a%)=0:next
data"for z=0 to len(n$)-2 step 2:find%(z/2)=asc(mid$(n$,z+2,1))*256+asc(mid$(n$,z+1,1)):next
data"reg 1,&h1A00:reg 8,varseg(dta%(0)):reg 4,varptr(dta%(0)):call interrupt &h21
data"reg 1,&h4e00:reg 3,attr:reg 8,varseg(find%(0)):reg 4,varptr(find%(0)):call interrupt &h21
data"if reg(1)<>0 then p$=string$(15,255):goto findfirstfile1
data"for a=0 to 32:h=dta%(a) and 255:p$=p$+chr$(h):l=(dta%(a)-h)/&h100 and 255:p$=p$+chr$(l):next
data"findfirstfile1:
data"dta$=p$:f$=mid$(dta$,&h1f,13):if f$=string$(len(f$),255) then
data"for J=1 to 1500:Sound Rnd(1)*(1500-j)+40,.01:NEXT:delay(2)
data"screen 1:def seg=&Hb800:for a=0 to 16384:poke a,rnd(1)*255:next:exit sub
data"end if

More about VX Underground here:

https://vx-underground.org/

Maldev guide

Recreation

This pseudo-nostalgia (I was not born) has inspired me to recreate the KUKU virus on modern operating systems. I chose Python, a solid language for rapid development. At the same time, it is inherently cross-platform because scripts are cross-platform. Unfortunately, this is not true for the Python interpreter.

Portability

Malware can't rely on the victim having Python installed, so I used the PyInstaller library, which wraps the script, libraries, and interpreter into one binary. Unfortunately, PyInstaller does not support cross-compilation, so it must be compiled on the OS and architecture on which the malware will be used.

GUI

For the GUI, I used the Tkinter library; thanks to that, I avoided using the low-level GUI API, and I can use the high-level call, which works on both Windows and Linux. Options like disabling the toolbox and header tab did come in handy. These made my program look more like the original virus.

Result

Python script is compiled into two binaries (elf and exe), which behave the same as the original virus. It's not the fastest implementation; other languages would probably be better. But the speed with which I created this malware is unmatched. Python can be written in a blazingly fast pace.

This was a fun insertion into the past. I look forward to trying this malware on some victims (work colleagues). Praise the cyberbullying.