Designing a COM Virus

COM executables on Windows bring back the good old days when executable formats were much less complicated than they are today. Back then, these kinds of programs didn't need a loader; they didn't even use DLLs. All they did was get loaded into memory and execute. That made them easy to understand and easy to exploit.

So let's exploit one.

We're going to write a simple COM file virus on DOS. This virus is going to hook COM files and then look for similar files to infect. We're going to base our work on Ludwig's Little Black Book of Computer Viruses, and hopefully, we're going to simplify a bit and create a disabling trigger.

Before we get started coding anything, let's identify exactly what we'd need and how this kind of virus is designed. First, we're going to create a simple COM file target. I've gone over how to create a DOS VMWare image, and those do have COM files we'll want to infect too, but let's start with a simple target file so that it's easy to see where the code's injected and how the COM file is modified. So we need a workstation (VMWare DOS image) and a target COM file. We also want to use a disabling trigger — I'm intending to use a file for this, that if it's resident in the directory the COM infector is targeting, the COM infector will stop infecting targets. We'll also use good hygiene on our VMWare image so that we don't trash it or let the virus out. Ideally, you'd be working on a non-Windows platform with VMWare installed, in which you run your DOS image. We'll take a snapshot of the image prior to starting work and work off that snapshot so that we always have an uninfected rollback.

So let's sum this up. We will:

• Develop a target COM file

• Implement a disabling trigger

• Initially, only infect COM files in the local directory

• Run VMWare on a non-Windows platform to prevent escapes

• Only work on snapshots of the base image, so we can always roll back to an uninfected DOS image.

We're writing the virus in assembly, so it's much easier if we develop a block diagram of the virus' functionality as an initial design. This is a very abstract representation of the program's functionality and doesn't begin to address how we're going to do these things, but it does define what we want to do:

Figure1: Virus Design

Green indicates a start state, red an end state, yellow a control state, and blue a standard virus execution. Basically, we want the virus code to run on COM program startup, check the local directory for COM files to infect, infect those files if they're present, and then resume program execution.

There's a couple of places we can place our trigger, too. I'm going to place it prior to the scan, resuming regular program execution if the disabling trigger isn't there.

Now that we have an idea of what we want the virus to do, we can start to build it.