Simple COM file infector virus

INTRO.  These studies of computer viruses are based on The Giant Black Book of Computer VIruses by Mark Ludwig.  These viruses are used for discussion and study.  They are not meant to be used in any way other than academic.   It is a part of the Academic Underground student organization to further understand and prevent computer viruses.  This is mainly an outline for the panel discussions at the meeting.

There are three types of COM file infector viruses:

  1. Overwritting
  2. Companion
  3. Parasitic
The first meeting will only talk about the simplest one, the overwritting virus.  This will give people a general knowledge and understanding of assembly language as well as what little work it takes to write a virus.  Also there will be room and time to write an anti-virus to scan for the virus we make; any language may be used to scan for the virus.

Basics
    When a command is typed into DOS it first checks to see if the command is an internal command (Not a file, but a command that is within the COMMAND.COM program, ex. DIR) if not it then looks for a program with a COM extension.  If it fails to find one it will then search for one with a .EXE extension.  Again if it fails it will look for a .BAT extension in that order.  If none are found it returns with the error message: Bad command or filename.

A Simple Assembly program (HELPME.ASM):

            .model tiny
            .code

            ORG        100h
HOST:
            mov        ah, 9                        ; Function call to display a message
            mov        dx, OFFSET MSG ; Address of the string to disply
            int            21h                         ; Displays it.

            mov        ah, 4C00h                ; Function to quit with error code 0
            int            21h                         ; Quits
MSG    db    'I am an innocent host program and not a virus.$'
            END    HOST

To compile this program with tasm issue the following commands:

   tasm HELPME.ASM            (Creates an OBJ file)
   tlink /t HELPME.OBJ           (Creates a COM file)

This program is a simple little program that just displays a string (MSG) and exits.  A function has a HEX number assigned to it depending on it's roles.  Example: 9 is display a string and 4C is exit to DOS.  These values are put into the AX register which can be broken down into two smaller registers, AH and AL.  You then call an interupt to execute the function for DOS: this is mainly INT 21h.  This program can be compiled with either MASM or TASM (or some other 3rd party assembler).  Once compiled you will have a small COM file, HELPME.COM.  We will later use this program as the target for our virus.

The Virus
OVERWRITTING  -  The Spammer Virus

    This virus is simple but mean.  It will search for all COM files in its current directory and overwrite them, thus destroying then and replacing them with a copy of itself.  This virus has a few simple steps to achive its' goal after loading:

  1. Search for all files in the current directory with the wildcard '*.COM'
  2. Open the file with write access and write the size of the virus in bytes (of its own code) to the file.
  3. Then it prints an annoying message and terminates back to DOS
Some key features of the Spammer virus include how it searches.  You must first call the DOS function for FIND FIRST FILE.  If it is successfule then the filename of is kept in the DTA (A spot in memory) After which you can use the filename in the DTA for file manipulations and may use the command FIND NEXT FILE to find other COM files in the directory.

Procedure calls are used to make the virus more readable.  There are two procedures in this virus: INFECT and PAYLOAD.  This was mainly done so that it may be easily expanded and perhaps a little easier to read.  Modifications should be simple and easier to locate when they are in simple precedure calls.

This virus is 108 bytes long.  Any program (like HELPME.COM) that is less than that size will be enlarged to 108 bytes once infected.  If a file is larger than 108 bytes the size of the file will not change.  It uses simple math to dynamically determine the file size during compile tiime.  It simply subtracts the ending offset of the virus from the starting offset.  Using this method the contents of the virus can easily be changed (like the payload string) without having to always alter the infection/replication code.

Spammer Virus
 
 Scan Results
 * ThunderByte (DOS) '95  - Detected
 * ThunderByte (95) '98 - Failed! (But will detect in High Sensitivity Mode)
 Norton AntiVirus 4.0 '98 - Failed!
 * Norton AntiVirus 5.0 '98 - Failed!
 * F-Prot (95) '98 - Failed!
ViruSafe 95 v2.7 - Failed!
 McAfee VirusScan '98 - Failed!
 Inoculan '98 - Failed!
* = Hueristic Scanning Capability

Exercises

  1.  Modify the virus to infect Hidden, System and Readonly files.  Hidden and System files will be easy but Readonly may be a bit of a challenge.