MINI-44’s replication mechanism is even simpler than its search mechanism. To replicate, it simply opens the host program in write mode—just like an ordinary program would open a data file—and then it writes a copy of itself to that file, and closes it.
Opening and closing are essential parts of writing a file in DOS.
The act of opening a file is like getting permission from DOS to touch that file. When DOS returns the OK to your program, it is telling you that it does indeed have the resources to access that file, that the file exists in the form you expect, etc. Closing the file tells DOS to finish up work on the file and flush all data changes from DOS’ memory buffers and put it on the disk.
To open the host program, MINI-44 uses DOS Interrupt 21H Function 3D Hex. The access rights in the al register are specified as 1 for write-only access (since the virus doesn’t need to inspect 34 The Giant Black Book of Computer Viruses
the program it is infecting). The ds:dx pair must point to the file name, which has already been set up in the DTA by the search functions at FNAME = 9EH.
The code to open the file is thus given by:
mov ax,3D01H mov dx,OFFSET FNAME int 21H
If DOS is successful in opening the file, it will return a file handle in the ax register. This file handle is simply a 16-bit number that uniquely references the file just opened. Since all other DOS file manipulation calls require this file handle to be passed to them in the bx register, MINI-44 puts it there as soon as the file is opened with a mov bx,ax instruction.
Next, the virus writes a copy of itself into the host program file using Interrupt 21H, Function 40H. To do this, ds:dx must be set up to point to the data to be written to the file, which is the virus itself, located at ds:100H. (ds was already set up properly when the
Search for First File
Found?File
Infect File Search for
Next File
Exitto DOS
No Yes
Fig 3.5: MINI-44 file search logic.
The Simplest COM Infector 35
COM program was loaded by DOS.) At this point, the virus which is presently executing is treating itself just like any ordinary data to be written to a file—and there’s no reason it can’t do that. Next, to call function 40H, cx should be set up with the number of bytes to be written to the disk, in this case 44, dx should point to the data to be written (the virus), and bx should contain the file handle:
mov bx,ax ;put file handle in bx mov dx,100H ;location to write from mov cx,44 ;bytes to write
mov ah,40H
int 21H ;do it
Finally, to close the host file, MINI-44 simply uses DOS function 3EH, with the file handle in bx once again. Figure 3.6 depicts the end result of such an infection.
Uninfected Infected Original COM
File Code Original COM
File Code Original COM
File Code Original COM
File Code Original COM
File Code
Original COM File Code Original COM
File Code Original COM
File Code Original COM
File Code Original COM
File Code MINI-44
Virus Code
Fig. 3.6: Uninfected and infected COM files.
36 The Giant Black Book of Computer Viruses
Discussion
MINI-44 is an incredibly simple virus as far as viruses go. If you’re a novice at assembly language, it’s probably just enough to cut your teeth on without being overwhelmed. If you’re a veteran assembly language programmer who hasn’t thought too much about viruses, you’ve just learned how ridiculously easy it is to write a virus.
Of course, MINI-44 isn’t a very good virus. Since it destroys everything it touches, all you have to do is run one program to know you’re infected. And the only thing to do once you’re infected is to delete all the infected files and replace them from a backup. In short, this isn’t the kind of virus that stands a chance of escaping into the wild and showing up on computers where it doesn’t belong without any help.
In general, overwriting viruses aren’t very good at establishing a population in the wild because they are so easy to spot, and because they’re blatantly destructive and disagreeable. The only way an overwriting virus has a chance at surviving on a computer for more than a short period of time is to employ a sophisticated search mechanism so that when you execute it, it jumps to some far off program in another directory where you can’t find it. And if you can’t find it, you can’t clean it up. There are indeed overwriting viruses which use this strategy. Of course, even this strategy is of little use once your scanner can detect it, and if you’re going to make the virus hard to scan, you may as well make a better virus while you’re at it.
Exercises
1. Overwriting viruses are one of the few types of virsuses which can be written in a high level language, like C, Pascal or Basic. Design an overwriting virus using one of these languages. Hint: see the book Computer Viruses and Data Protection, by Ralf Burger.
2. Change the string COM_FILE to “*.EXE” in MINI-44 and call it MINI-44E. Does MINI-44E successfully infect EXE files? Why?
The Simplest COM Infector 37
3. MINI-44 will not infect files with the hidden, system, or read-only file attributes set. What very simple change can be made to cause it to infect hidden and system files? What would have to be done to make it infect read-only files?
38 The Giant Black Book of Computer Viruses