2.3 DOS Virus Technologies

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes
	Table of Contents
	Chapter 2.  DOS Computer Viruses

After learning how to do it, the first thing a virus writer must do is decide what type of virus to write. A boot virus is often the choice because it loads before any other software and is in complete control before the operating system even gets loaded. File viruses are a little bit easier to write and can accomplish more. What either type can do is only limited by the virus writer's creativity. He has to decide how obvious his bug will be, when it will spread, and what it will do when it decides to execute its payload.

2.3.1 Writing a Virus

Writing a virus isn't as hard as most people think. You certainly don't have to be a programming genius, as is popularly thought by most computer users. In fact, if all you do is write malicious code, then it's easier than writing productive, legitimate applications. As a virus writer, the subset of applicable programming commands is smaller, and the time-consuming process of writing bulky error-checking routines can be thrown away. What they need to know is found in bland technical manuals filled with arcane detail. How else can you find out what track and sectors hold the disk partition table, or at what memory address DOS stores the interrupt vector table? Writing viruses takes as much patience as creativity.

Once the basic tenets of DOS and low-level programming are understood , writing a simple virus is straightforward. Don't get me wrong. There are highly intelligent , gifted, malicious code writers in the world. Fortunately, most are not. All a file virus has to do is look for a host file, open it, write itself to the host file, and then close it. Four things. That's it. All file viruses are nothing more than sophisticated variations of the same four routines. When mischievous programmers learn how easy it is to write a virus, it doesn't take long for the malicious experiments to begin.

One of the smallest working viruses, Define , is a mere 30 bytes long. It doesn't work well, but it works. Early viruses were usually, but not always, written in low-level assembly language . This is because assembly programs are small and quick, and can do anything the hardware is capable of. Other languages, such as Basic or Pascal, have been used to write viruses, but their built-in routines end up bloating code and limiting functionality.

The term "low-level" refers to the fact that software is interacting closer to the hardware without as many translation steps required. High-level language instructions, like C+ and Pascal, have to go through many intermediate steps, including being broken down into low-level instructions, before they interact with the hardware.