The Simplest COM Infector

When learning about viruses it is best to start out with the simplest examples and understand them well. Such viruses are not only easy to understand . . . they also present the least risk of escape, so you can experiment with them without the fear of roasting your company’s network. Given this basic foundation, we can build fancier varieties which employ advanced techniques and replicate much better.

In the world of DOS viruses, the simplest and least threatening is the non-resident COM file infector. This type of virus infects only COM program files, which are just straight 80x86 machine code. They contain no data structures for the operating system to interpret (unlike EXE files)— just code. The very simplicity of a COM file makes it easy to infect with a virus. Likewise, non-resident viruses leave no code in memory which goes on working after the host program (which the virus is attached to) is done working. That means as long as you’re sitting at the DOS prompt, you’re
safe. The virus isn’t off somewhere doing something behind your back. Now be aware that when I say a non-resident COM infector is simple and non-threatening, I mean that in terms of its ability to reproduce and escape. There are some very nasty non-resident COM infectors floating around in the underground. They are nasty because they contain nasty logic bombs, though, and not because they take the art of virus programming to new highs. There are three major types of COM infecting viruses. They are called:
1. Overwriting viruses
2. Companion viruses
3. Parasitic viruses
If you can understand these three simple types of viruses, you will already understand the majority of viruses being written today. Most of them are one of these three types and nothing more. Before we dig into how the simplest of these viruses, the overwriting virus works, let’s take an in-depth look at how a COM program works. It is essential to understand what it is you’re attacking if you’re going to do it properly.

COM Program Operation

When one enters the name of a program at the DOS prompt, DOS begins looking for files with that name and an extent of “COM”. If it finds one it will load the file into memory and execute it. Otherwise DOS will look for files with the same name and an extent of “EXE” to load and execute. If no EXE file is found, the operating system will finally look for a file with the extent “BAT” to execute. Failing all three of these possibilities, DOS will display the error message “Bad command or file name.”

EXE and COM files are directly executable by the Central Processing Unit. Of these two types of program files, COM files are much simpler. They have a predefined segment format which is built into the structure of DOS, while EXE files are designed to handle a segment format defined by the programmer, typical of very large and complicated programs. The COM file is a direct binary image of what should be put into memory and executed by
the CPU, but an EXE file is not.

To execute a COM file, DOS does some preparatory work, loads the program into memory, and then gives the program control. Up until the time when the program receives control, DOS is the 22 The Giant Black Book of Computer Viruses program executing, and it is manipulating the program as if it were data. To understand this whole process, let’s take a look at the operation of a simple non-viral COM program which is the assembly language equivalent of hello.c—that infamous little program used in every introductory c programming course. Here it is:
.model tiny
.code
ORG 100H
HOST:
mov ah,9 ;prepare to display a message
mov dx,OFFSET HI ;address of message
int 21H ;display it with DOS
mov ax,4C00H ;prepare to terminate program
int 21H ;and terminate with DOS
HI DB ’You have just released a virus! Have a nice day!$’
END HOST
Call it HOST.ASM. It will assemble to HOST.COM. This program will serve us well in this chapter, because we’ll use it as a host for virus infections.

Now, when you type “HOST” at the DOS prompt, the first thing DOS does is reserve memory for this program to live in. To understand how a COM program uses memory, it is useful to remember that COM programs are really a relic of the days of CP/M—an old disk operating system used by earlier microcomputers that used 8080 or Z80 processors. In those days, the processor could only address 64 kilobytes of memory and that was it. When MS-DOS and PC-DOS came along, CP/M was very popular. There were thousands of programs—many shareware—for CP/M and practically none for any other processor or operating system (excepting the Apple II). So both the 8088 and MS-DOS were designed to make porting the old CP/M programs as easy as possible. The 8088-based COM program is the end result.


In the 8088 microprocessor, all registers are 16 bit registers. A 16 bit register will only allow one to address 64 kilobytes of memory, just like the 8080 and Z80. If you want to use more memory, you need more bits to address it. The 8088 can address up to one megabyte of memory using a process known as segmentation. It uses two registers to create a physical memory address that is 20 bits long instead of just 16. Such a register pair consists The Simplest COM Infector 23 of a segment register, which contains the most significant bits of the address, and an offset register, which contains the least significant bits. The segment register points to a 16 byte block of memory, and the offset register tells how many bytes to add to the start of the 16 byte block to locate the desired byte in memory. For example, if the ds register is set to 1275 Hex and the bx register is set to 457 Hex, then the physical 20 bit address of the byte ds:[bx] is


1275H x 10H = 12750H
+ 457H
—————
12BA7H

The 8088 has four segment registers, cs, ds, ss and es, which stand for Code Segment, Data Segment, Stack Segment, and Extra Segment, respectively. They each serve different purposes. The cs register specifies the 64K segment where the actual program instructions which are executed by the CPU are located. The Data Segment is used to specify a segment to put the program’s data in, and the Stack Segment specifies where the program’s stack is
24 The Giant Black Book of Computer Viruses located. The es register is available as an extra segment register for
the programmer’s use. It might be used to point to the video memory segment, for writing data directly to video, or to the segment 40H where the BIOS stores crucial low-level configuration information about the computer.