Companion Virus - Spanky
A companion virus is a virus that renames its host and names a copy of itself the name of its target. For instance a virus could rename a HELPME.COM to HELPME.CON and then name itself HELPME.COM. After executing the virus would then run HELPME.CON. This is a much better way than of replicating than The Spammer virus used.
Spanky will attack *.EXE files and copy itself to a hidden file with a .COM extension. Knowing that DOS will run a COM file before an EXE file, this will work perfectly. And since the COM file is hidden there will be no obvious difference when the user types DIR.
Some hurdles the virus must jump through in order to make this happen
is executing another program. A DOS program needs more room than
is initially given. The stack is reserved up to 64k no matter what
size your COM program is. So we must reduce the stack and free up
the memory. We do this with the following command:
mov sp, OFFSET END_V + 100h
This will give us 100h for our virus and we can then free the rest with the following command:
mov ah, 4Ah
mov bx, sp ; See above
mov cl,4 ; We need to divide by 16 to set page limits
inc bx ; Inc to round up the page
This may look a bit confusing but this basic math is all you need to do when setting up pages. Just remember it or write it down and use it.
The EXE will also need to have it's parameter block setup. This is a fairly easy task. All that needs to be done is to copy the information out of your PSP block and put it into the parameter block. This is accomplised with the PARAM_BLK. After the host executes we need to set our stuff back up the way we need it. The rest of the execution code is mearly setting our stack and DTA back up.
The Infection routine is also pretty simple. We use the same FIND FIRST/NEXT but this time we do a couple of things with the DTA FNAME exept overwrite it. First we copy the DTA Filename to our REAL_NAME variable. Then we edit the filename and replace the EXE with COM. Which makes it very easy for us to create a file using the DTA FNAME results. The rest is basically the same as Spammer.
ThunderByte (DOS) '95 - Not Tested
ThunderByte (95) '98 - Failed! (But will detect in High Sensitivity Mode)
Norton AntiVirus 4.0 '98 - Failed!
Norton AntiVirus 5.0 '98 - Failed!
F-Prot (95) '98 - Failed!
ViruSafe 95 v2.7 - Failed!
McAfee VirusScan '98 - Failed!
Inoculan '98 - Failed!
This exercise was stolen directly from The Giant Black Book of Computer Viruses. It's a great exercise that will step you through the process of makeing a beneficial virus. This virus will protect unwanted users from running applications on your PC without a given password.