One problem we must face in creating this virus is how to locate data. Since all jumps and calls in a COM file are relative, we needn’t do anything fancy to account for the fact that the virus must relocate itself as it copies itself from program to program. The jumps and calls relocate themselves automatically. Handling the data is not as easy. A data reference like
mov bx,WORD PTR [HANDLE]
refers to an absolute offset in the program segment labeled HAN- DLE. We cannot just define a word in memory using an assembler directive like
HANDLE DW 0
and then assemble the virus and run it. If we do that, it will work right the first time. Once it has attached itself to a new program, though, all the memory addresses will have changed, and the virus will be in big trouble. It will either bomb out itself, or cause its host program to bomb.
There are two ways to avoid catastrophe here. Firstly, one could put all of the data together in one place, and write the program to dynamically determine where the data is and store that value in a register (e.g. si) to access it dynamically, like this:
mov bx,[si+HANDLE_OFS]
where HANDLE_OFS is the offset of the variable HANDLE from the start of the data area.
Alternatively, we could put all of the data in a fixed location in the code segment, provided we’re sure that neither the virus nor the host will ever occupy that space. The only safe place to do this is at the very end of the segment, where the stack resides. Since the
Initial Host (10 Kb)
Virus Code
HANDLE
New Host (12 Kb)
Virus Code
HANDLE
Relative Code Absolute Data
Infection
Figure 9: Absolute data address catastrophe.
virus takes control of the CPU first when the COM file is executed, it will control the stack also. Thus we can determine exactly what the stack is doing, and stay out of its way. This is the method we choose.
When the virus first gains control, the stack pointer, sp, is set to FFFF Hex. If it calls a subroutine, the address directly after the call is placed on the stack, in the bytes FFFF Hex and FFFE Hex in the program’s segment, and the stack pointer is decremented by two, to FFFD Hex. When the CPU executes the return instruc- tion in the subroutine, it uses the two bytes stored by the call to determine where to return to, and increments the stack pointer by two. Likewise, executing a push instruction decrements the stack by two bytes and stores the desired register at the location of the stack pointer. The pop instruction reverses this process. The int instruction requires five bytes of stack space, and this includes calls to hardware interrupt handlers, which may be accessed at any time in the program without warning, one on top of the other.
The data area for the virus can be located just below the memory required for the stack. The exact amount of stack space required is rather difficult to determine, but 80 bytes will be more than sufficient. The data will go right below these 80 bytes, and in this manner its location may be fixed. One must simply take account of the space it takes up when determining the maximum size of a COM file in the FILE_OK routine.
Of course, one cannot put initialized variables on the stack.
They must be stored with the program on disk. To store them near the end of the program segment would require the virus to expand the file size of every file to near the 64K limit. Such a drastic change in file sizes would quickly tip the user off that his system has been infected! Instead, initialized variables should be stored with the executable virus code. This strategy will keep the number of bytes which must be added to the host to a minimum. (Thus it is a worthwhile anti-detection measure.) The drawback is that such variables must then be located dynamically by the virus at run time.
Fortunately, we have only one piece of data which must be pre-initialized, the string used by DOS in the search routine to locate COM files, which we called simply “COMFILE”. If you take a look back to the search routine, you’ll notice that we already took
the relocatability of this piece of data into account when we retrieved it using the instructions
mov dx,WORD PTR [VIR_START]
add dx,OFFSET COMFILE - OFFSET VIRUS
instead of simply
mov dx,OFFSET COMFILE