A virus can go memory resident by directly modifying the memory allocation data structures used by DOS. This approach is perhaps the most powerful and flexible way for a virus to insert itself in memory. It does not require any specialized, version dependent knowledge of DOS, and it avoids the familiar TSR calls like Interrupt 21H, Function 31H which are certain to be watched
by anti-virus monitors. This technique also offers much more flexibility than DOS’ documented function calls.
First, let’s take a look at DOS’ memory allocation scheme to see how it allocates memory in the computer. . .
DOS allocates memory in blocks, called Memory Control Blocks, or MCBs for short. The MCBs are arranged into a chain which covers all available memory for DOS (below the 640K limit). Memory managers can extend this chain above 640K as well.
Each MCB consists of a 16 byte data structure which sits at the start of the block of memory which it controls. It is detailed in Table 9.1.
There are two types of MCBs, so-called M and Z because of the first byte in the MCB. The Z block is simply the end of the chain. M blocks fill the rest of the chain. The MCBs are normally managed by DOS, however other programs can find them and even manipulate them.
The utility programs which go by names like MEM or MAP-MEM will display the MCB chain, or parts of it. To do this, they locate the first MCB from DOS’s List of Lists. This List of Lists is a master control data block maintained by DOS which contains all sorts of system-level data used by DOS. Though it isn’t officially documented, quite a bit of information about it has been published in books like Undocumented DOS.1 The essential piece of informa-tion needed to access the MCBs is stored at offset -2 in the List of Lists. This is the segment of the first Memory Control Block in the system. The address of the List of Lists is obtained in es:bx by calling undocumented DOS Interrupt 21H, Function 52H,
mov ah,52H int 21H
Then a program can fetch this segment,
mov ax,es:[bx-2]
mov es,ax ;es=seg of 1st MCB
114 The Giant Black Book of Computer Viruses
1 Andrew Schulman, et. al., Undocumented DOS, (Addison Wesley, New York:1991) p. 518. Some documentation on the List of Lists is included in this book in Appendix A where DOS Function 52H is discussed.
and, from there, walk the MCB chain. To walk the MCB chain, one takes the first MCB segment and adds BLK_SIZE, the size of the memory block to it (this is stored in the MCB). The new segment will coincide with the start of a new MCB. This process is repeated until one encounters a Z-block, which is the last in the chain. Code to walk the chain looks like this:
mov es,ax ;set es=MCB segment NEXT: cmp BYTE PTR es:[bx],’Z’ ;is it the Z block?
je DONE ;yes, all done mov ax,es ;nope, go to next inc ax ;block in chain add ax,es:[bx+3]
mov es,ax jmp NEXT DONE:
A virus can install itself in memory in a number of creative ways by manipulating the MCBs. If done properly, DOS will respect these direct manipulations and it won’t crash the machine.
If the MCB structure is fouled up, DOS will almost certainly crash, with the annoying message “Memory Allocation Error, Cannot load COMMAND.COM, System Halted.”
The Yellow Worm has a simple and effective method of manipulating the MCBs to go memory resident without announcing
Offset Size Description
0 1 Block Type—This is always an “M” or a “A”, as explained in the text.
1 2 Block Owner—This is the PSP segment of the program that owns this block of memory.
3 2 Block Size—The size of the memory block, in 16 byte paragraphs. This size does not include the MCB itself.
5 3 Reserved
8 8 File Name—A space sometimes used to store the name of the program using this block.
Table 9.1: The Memory Control Block.
Advanced Memory Residence Techniques 115
it to the whole world. What it does is divide the Z block—provided it is suitable—into an M and a Z block. The virus takes over the Z block and gives the new M block to the original owner of the Z block.
Typically, the Z block is fairly large, and the Yellow Worm just snips a little bit out of it—about 48 paragraphs. The rest it leaves free for other programs to use. Before the Yellow Worm takes the Z block, it checks it out to make sure grabbing it won’t cause any surprises. Basically, there are two times when what the Yellow Worm does is ok: (1) When the Z block is controlled by the program which the Yellow Worm is part of (e.g. the Owner = current PSP), or (2) When the Z block is free (Owner = 0). If something else controls the Z block (a highly unlikely event), the Yellow Worm is polite and does not attempt to go resident.
Once the Yellow Worm has made room for itself in memory, it copies itself to the Z Memory Control Block using the segment of the MCB + 1 as the operating segment. Since the Worm starts executing at offset 0 from the host, it can just put itself at the same offset in this new segment. That way it avoids having to deal with relocating offsets.
Finally, the Yellow Worm installs an interrupt hook for Inter-rupt 21H, which activates the copy of itself in the Z MCB. That makes the virus active. Then the copy of the Yellow Worm in memory passes control back to the host.