Improved Overwriting COM Viruses

The last method used to infect COM programs is known as improved overwriting. Assuming the virus is V bytes long, the virus first reads the first V bytes of the host program and then appends this information to the end of the host program. The virus then overwrites the top of the COM program using the V bytes of viral code (see fig. 15.21). The host program can be repaired and executed normally after the virus completes its dirty work, because the information from the uninfected host program has been stored.

Figure 15.21  Improved overwriting COM virus.

---

Note:  Each of these schemes modifies the machine language instructions at the entry point of the COM file, guaranteeing that they gain control of the computer as soon as the infected program loads and executes. It also means that virus scanners can scan only limited sections of the COM file to detect if it is infected with a virus. (Scanning is discussed in “How Antivirus Programs Work.”)

---

EXE Infections

Although numerous methods are used to infect COM files, viruses use primarily one method to infect EXE format files. EXE files have a variable entry point specified by the Code Segment (CS) and Instruction Pointer (IP) fields of the file header. In the most common form of EXE infection, the virus performs the following sequence of actions:

1.  Records the host’s original entry point in itself, so it can later execute the host program normally.

2.  Appends a copy of itself to the end of the host program.

3.  Changes the entry point (using CS and IP fields) in the EXE header to point to the virus code.

4.  Changes other fields in the header, including the program’s load-image size fields to reflect the presence of the virus.

See figure 15.22 for a graphical description of this process.

Figure 15.22  EXE file before and after infection.

Notice how the Image Size has been increased by the size of the virus, V. Also note that the CS and IP fields now point to the virus rather than the original program.

This method of infection guarantees that the virus obtains control as soon as the executable image loads and executes. As with COM files, it also significantly eases virus scanning; antivirus programs can easily determine the entry point of the EXE file and thereby limit the scope and time required to scan for viruses.

SYS File Infections

The SYS file format is unique, in that it has two entry points: Interrupt and Strategy. When the operating system loads the SYS file during bootup, both entry points are executed independently. Viruses can infect either one to gain control of the computer when a user loads the infected SYS file. The two entry points are specified in the header of the device driver file, so in this way the infection process for SYS files resembles the process used with EXE files. The device driver infecting virus performs the following sequence of actions:

1.  Selects the entry point(s) of the program it wants to modify: Strategy, Interrupt, or both.

2.  Records the host’s original entry point(s) in itself, so it can later execute the original Strategy or Interrupt routine.

3.  Appends a copy of itself to the end of the host program.

4.  Changes one or both of the two entry points in the SYS header to point to the virus code.

Figure 15.23 shows a graphical description of this process.

Figure 15.23  SYS file before and after infection.

How and When the File-Infecting Virus Gets Control

Simply stated, a file-infecting virus gains control of the computer when the user or operating system executes an infected program. In the most common scenario, the virus modifies the host program so that it gains control immediately when the program executes.

When a user executes an infected program, DOS loads the entire program into memory, virus and all, and begins executing the program at its entry point. In infected files, the virus modifies the location of the entry point or the machine-code at the entry point so that the virus executes first.

After the virus machine code begins executing, it can immediately seek out and infect other executable programs on the computer, or it can establish itself as a memory-resident service provider in the operating system. As a service provider, the virus can then infect subsequent executable files as the operating system or other programs execute, copy, or access them for any reason.

File-infecting viruses are categorized as being either direct action or memory-resident file infectors. The direct-action file infector infects other program files located somewhere on the path, or on the hard drive, as soon as an infected program executes.

The memory-resident file infector loads itself into the computer’s memory using a method similar to that used by the boot infecting viruses. First, the virus must check to see whether it has already inserted itself in memory as a system service provider. The user may have many infected programs, each which represents a different opportunity for the virus to load itself in memory during a computing session. (Boot record viruses don’t concern themselves with this issue, as they only install themselves once during system bootup. The virus cannot inadvertently insert itself in memory as a service provider more than once.)

If the virus determines that a copy of itself isn’t yet resident in the computer’s memory, it installs itself as a resident service provider. Figure 15.24 shows the state of a computer’s memory immediately after an infected program has been loaded for execution.

Figure 15.24  Resident COM virus is loaded into RAM and executed.

DOS has two internal redundant counts of how much conventional memory is available to DOS and its applications. These counts are stored in DOS data structures, known as the Memory Control Block (MCB) and the Program Segment Prefix (PSP).

The MCB contains a field that specifies how much memory is allocated by the currently executing, foreground program. Anytime a program executes, DOS initially allocates all available conventional memory to it. If 580 KB of free conventional memory exist at the time a program launches, DOS updates the MCB field to contain a value of 580. (This example actually slightly simplifies the process, but suits our purposes.)

The PSP contains a field that indicates the amount of conventional memory installed in the machine. This value is the same as the “Total memory in K-bytes field” found in the BIOS Data Area. So, if the machine has 640 KB of conventional memory, the PSP would contain a value of 640.

The typical memory-resident file virus installs itself at the end of conventional memory, just like most boot record viruses. The virus first determines how much conventional memory is in the computer by examining the MCB and PSP fields. If, for example, the virus expects to use 2 KB of memory, it then updates the PSP and MCB fields to reflect this usage. It changes the MCB field to 578 from 580, indicating that the current program has only 578 KB with which to work. The virus then changes the PSP “total memory” field from 640 to 638, indicating that only 638 KB is installed on the machine. These changes prevent DOS and other applications from modifying the newly reserved space. The virus can therefore reside in this area without being corrupted by other programs. Figure 15.25 shows the state of memory after the virus has reserved 2 KB of RAM for itself.

Figure 15.25  Resident COM virus reserves 2 KB of RAM.