There are three types of COM file infector viruses:
When a command is typed into DOS it first checks to see if the command is an internal command (Not a file, but a command that is within the COMMAND.COM program, ex. DIR) if not it then looks for a program with a COM extension. If it fails to find one it will then search for one with a .EXE extension. Again if it fails it will look for a .BAT extension in that order. If none are found it returns with the error message: Bad command or filename.
A Simple Assembly program (HELPME.ASM):
mov ah, 9 ; Function call to display a message
mov dx, OFFSET MSG ; Address of the string to disply
int 21h ; Displays it.
; Function to quit with error code 0
int 21h ; Quits
MSG db 'I am an innocent host program and not a virus.$'
To compile this program with tasm issue the following commands:
(Creates an OBJ file)
tlink /t HELPME.OBJ (Creates a COM file)
This program is a simple little program that just displays a string (MSG) and exits. A function has a HEX number assigned to it depending on it's roles. Example: 9 is display a string and 4C is exit to DOS. These values are put into the AX register which can be broken down into two smaller registers, AH and AL. You then call an interupt to execute the function for DOS: this is mainly INT 21h. This program can be compiled with either MASM or TASM (or some other 3rd party assembler). Once compiled you will have a small COM file, HELPME.COM. We will later use this program as the target for our virus.
OVERWRITTING - The Spammer Virus
This virus is simple but mean. It will search for all COM files in its current directory and overwrite them, thus destroying then and replacing them with a copy of itself. This virus has a few simple steps to achive its' goal after loading:
Procedure calls are used to make the virus more readable. There are two procedures in this virus: INFECT and PAYLOAD. This was mainly done so that it may be easily expanded and perhaps a little easier to read. Modifications should be simple and easier to locate when they are in simple precedure calls.
This virus is 108 bytes long. Any program (like HELPME.COM) that is less than that size will be enlarged to 108 bytes once infected. If a file is larger than 108 bytes the size of the file will not change. It uses simple math to dynamically determine the file size during compile tiime. It simply subtracts the ending offset of the virus from the starting offset. Using this method the contents of the virus can easily be changed (like the payload string) without having to always alter the infection/replication code.
* ThunderByte (DOS) '95 - Detected
* ThunderByte (95) '98 - Failed! (But will detect in High Sensitivity Mode)
Norton AntiVirus 4.0 '98 - Failed!
* Norton AntiVirus 5.0 '98 - Failed!
* F-Prot (95) '98 - Failed!
ViruSafe 95 v2.7 - Failed!
McAfee VirusScan '98 - Failed!
Inoculan '98 - Failed!
* = Hueristic Scanning Capability