FILE_OK takes care of the details of determining whether a potential host should be infected or not. First, FILE_OK opens the file passed to it by FIND_FILE and determines its length. If the file is too big, adding the virus to it could make it crash, so Justin avoids such big files. But how big is too big? Too big is when Justin can’t get into the high memory segment without ploughing the stack into the top of the host. Although Justin doesn’t use too much stack, one must remember that hardware interrupts can use the stack
Find First File
Find Next File Is File OK?
Any More Files?
Infect file
Exit virus FIND_FILE
Fig. 5.3: JUSTINs file search and infect.
Parasitic COM Infectors: Part I 57
at any time. Thus, about 100H bytes for a stack will be needed. So, we want
(Size of Justin) + (Size of Host) + (Size of PSP) < 0FF00H to be safe. To determine this, FILE_OK opens the potential host using DOS function 3DH, attempting to open in read/write mode.
We already met this function with MINI-44. Now we just use it in read/write mode:
mov dx,9EH ;address of file name in DTA mov ax,3D02H ;open read/write mode
int 21H
If this open fails, then the file is probably read only, and Justin avoids it.
Next FILE_OK must find out how big the file is. One can pull this directly from the DTA, at offset 1AH. However, there is another way to find out how big a file is, even when you’re not using the DOS search functions, and that is what Justin uses here.
This method introduces an important concept: the file pointer.
FILE_OK moves the file pointer to the end of the file to find out how big it is. The file pointer is a four byte integer stored internally by DOS which keeps track of where DOS will read and write from in the file. This file pointer starts out pointing to the first byte in a newly-opened file, and it is automatically advanced by DOS as the file is read from or written to.
DOS Function 42H is used to move the file pointer to any desired value. In calling function 42H, the register bx must be set up with the file handle number, and cx:dx must contain a 32 bit long integer telling where to move the file pointer to. There are three different ways this function can be used, as specified by the contents of the al register. If al=0, the file pointer is set relative to the beginning of the file. If al=1, it is incremented relative to the current location, and if al=2, cx:dx is used as the offset from the end of the file. When Function 42H returns, it also reports the current value of the file pointer (relative to the beginning of the file) in the dx:ax register pair. So to find the size of a file, one sets the file pointer to the end of the file
58 The Giant Black Book of Computer Viruses
mov ax,4202H ;seek relative to end xor cx,cx ;cx:dx=0
xor dx,dx ;the offset from the end int 21H
and the value returned in dx:ax will be the file size! FILE_OK must check this number to make sure it’s not too big. If dx=0, the file is more than 64K long, and therefore too big:
or dx,dx ;is dx = 0?
jnz FOK_EXIT_C ;no, exit with c set
Likewise, if we add OFFSET HOST to ax, and it’s greater than 0FF00H, the file is too big:
add ax,OFFSET HOST ;add size of virus + PSP cmp ax,0FF00H ;is it too big?
ja FOK_EXIT_C ;yes, exit with c set
If FILE_OK gets this far, the new host isn’t too big, so the next step is to read the entire file into memory to examine its contents.
It is loaded right after the virus in the high segment. That way, if
Old Host
New Host
JUSTIN
JUSTIN High Segment Low Segment
Fig. 5.4: JUSTIN creates an image of infected host.
Parasitic COM Infectors: Part I 59
the file is good to infect, the virus will have just created an image of the infected program in memory (See Fig. 5.4) Actually infecting it will be very simple. All Justin will have to do is write that image back to disk!
To read the file into memory, we must first move the file pointer back to the beginning of the file with DOS Function 42H, Subfunc-tion 0,
mov ax,4200H ;move file ptr
xor cx,cx ;0:0 relative from start xor dx,dx
int 21H
Next, DOS Function 3FH reads the file into memory. To read a file, one must set bx equal to the file handle number and cx to the number of bytes to read from the file. Also ds:dx must be set to the location in memory where the data read from the file should be stored (the label HOST).
pop cx ;cx contains host size push cx ;save it for later use mov ah,3FH ;prepare to read file mov dx,OFFSET HOST ;into host location int 21H ;do it
Before infecting the new host, Justin performs two more checks in the FILE_OK routine. The first is simply to see if the potential host has already been infected. To do that, FILE_OK simply compares the first 20 bytes of the host with its own first 20 bytes.
If they are the same, the file is already infected. This check is as simple as
mov si,100H
mov di,OFFSET HOST mov cx,10
repz cmpsw
If the z flag is set at the end of executing this, then the virus is already there.
One final check is necessary. Starting with DOS 6.0, a COM program may not really be a COM program. DOS checks the program to see if it has a valid EXE header, even if it is named 60 The Giant Black Book of Computer Viruses
“COM”, and if it has an EXE header, DOS loads it as an EXE file.
This unusual circumstance can cause problems if a parasitic virus doesn’t recognize the same files as EXE’s and steer clear of them.
If a parasitic COM infector attacked a file with an EXE structure, DOS would no longer recognize it as an EXE program, so DOS would load it as a COM program. The virus would execute prop-erly, but then it would attempt to transfer control to an EXE header (which is just a data structure) rather than a valid binary program.
That would probably result in a system hang.
One might think programs with this bizarre quirk are fairly rare, and not worth the trouble to steer clear of them. Such is not the case.
Some COMMAND.COMs take this form—one file a nice virus certainly doesn’t want to trash.
Checking for EXE’s is really quite simple. One need only see if the first two bytes are “MZ”. If they are, it’s probably an EXE, so the virus should stay away! FILE_OK just checks
cmp WORD PTR [HOST],’ZM’
and exits with c set if this instruction sets the z flag. Finally, FILE_OK will close the file if it isn’t a good one to infect, and leave it open, with the handle in bx, if it can be infected. It’s left open so the infected version can easily be written back to the file.