Companion COM infector

INTRO.  These studies of computer viruses are based on The Giant Black Book of Computer
VIruses by Mark Ludwig.  These viruses are used for discussion and study.  They are not meant to be
used in any way other than academic.   It is a part of the Academic Underground student
organization to further understand and prevent computer viruses.  This is mainly an outline for the
panel discussions at the meeting.

Companion Virus - Spanky

A companion virus is a virus that renames its host and names a copy of itself the name of its target.  For instance a virus could rename a HELPME.COM to HELPME.CON and then name itself HELPME.COM.  After executing the virus would then run HELPME.CON.  This is a much better way than of replicating than The Spammer virus used.

Spanky will attack *.EXE files and copy itself to a hidden file with a .COM extension.  Knowing that DOS will run a COM file before an EXE file, this will work perfectly.  And since the COM file is hidden there will be no obvious difference when the user types DIR.

Some hurdles the virus must jump through in order to make this happen is executing another program.  A DOS program needs more room than is initially given.  The stack is reserved up to 64k no matter what size your COM program is.  So we must reduce the stack and free up the memory.  We do this with the following command:
        mov sp, OFFSET END_V + 100h
This will give us 100h for our virus and we can then free the rest with the following command:
        mov ah, 4Ah
        mov bx, sp         ; See above
        mov cl,4             ; We need to divide by 16 to set page limits
        shr bx,cl
        inc bx                 ; Inc to round up the page
        int 21h
This may look a bit confusing but this basic math is all you need to do when setting up pages.  Just remember it or write it down and use it.

The EXE will also need to have it's parameter block setup.  This is a fairly easy task.  All that needs to be done is to copy the information out of your PSP block and put it into the parameter block.  This is accomplised with the PARAM_BLK.  After the host executes we need to set our stuff back up the way we need it.  The rest of the execution code is mearly setting our stack and DTA back up.

The Infection routine is also pretty simple.  We use the same FIND FIRST/NEXT but this time we do a couple of things with the DTA FNAME exept overwrite it.  First we copy the DTA Filename to our REAL_NAME variable.  Then we edit the filename and replace the EXE with COM.  Which makes it very easy for us to create a file using the DTA FNAME results.  The rest is basically the same as Spammer.

Spanky Virus

ThunderByte (DOS) '95  - Not Tested
ThunderByte (95) '98 - Failed! (But will detect in High Sensitivity Mode)
Norton AntiVirus 4.0 '98 - Failed!
Norton AntiVirus 5.0 '98 - Failed!
F-Prot (95) '98 -  Failed!
ViruSafe 95 v2.7 -  Failed!
McAfee VirusScan '98 - Failed!
Inoculan '98 - Failed!

This exercise was stolen directly from The Giant Black Book of Computer Viruses.  It's a great exercise that will step you through the process of makeing a beneficial virus.  This virus will protect unwanted users from running applications on your PC without a given password.

  1. Modify the virus so it only infects a certain directory like C:\DOS.  This is a simple step using the EXE_FILE variable.
  2. Modify Spanky to infect both EXE and COM files.  You will need to make a FIND_FILES subroutine and then call it twice.  Once with EXE_FILE and again with COM_FILE.  The infection routine will have to be changed so the TRUE EXE or COM files have different extensions and are hidden while the virus assumes there names.
  3. Modify the infection routine again but this time make it save the host to a random file name (HINT: Use DOS function 26h).  You will need to also prevent re-infection by somehow detecting yourself.
  4. Make Spanky demand a password before running it's host.  The password can be hard coded within the virus.
  5. Now, make Spanky encrypt the Password, the Hosts and all copies of itself that it writes to disk.  Only decrypt yourself before execution in memory.