|
In MS-DOS and compatible DOSes, a COM file is a simple type of executable file with the file name extension .com (not to be confused with the .com top-level domain). The format is still executable on modern Windows-based platforms, but it is run in an MS-DOS-emulating subsystem. Originally the COM was short for "command" as these .com files contained the code for the basic commands that could be run on the machine.
Execution preference
It is a standard feature of DOS to execute the .COM file if the requested file exists in both .COM and .EXE form. For example, suppose the execution of foo is requested, perhaps by typing this at a DOS prompt or by adding it to a DOS batch file, then executing the batch file.
C:\>foo
Next, consider that executable files called both foo.com and foo.exe exist either in the current working directory or somewhere else in the system path. In the example above, the current working directory, as mentioned in the DOS prompt, is C:\, the root of C-drive. The system path is a list of directories where the computer has been told to expect to look for executable files. In the case where both exist and both can be found, foo.com will be executed rather than foo.exe.
Explicitly typing
C:\>foo.com
or
C:\>foo.exe
avoids this confusion.
Malicious substitution
Taking advantage of this default behaviour, virus writers and other malicious programmers sometimes use names like notepad.com for their creations. Their hope is that, if it can correctly be placed on a target Windows machine, their program will one day be run in preference to the common and ubiquitous notepad.exe text editor.
Note that in Linux and other Unix-based operating systems, the current working directory is not part of the system path. The reason for this is that, especially under these operating systems, it is much easier for malicious authors to confuse a user enough to get their code into an executable state in the user's current working directory than it is to get it into other directories on the system path. If this were achieved, and the safeguard were not in place (as it is not under Microsoft Windows) then a Linux user might type an everyday command such as
nigel@earth:~>ls
and run a local, malicious executable called 'ls' rather than the harmless system version. For this reason, Linux users who do want to run a local executable must explicitly specify this using '.' to specify the current directory, as in this example:
nigel@earth:~>./configure
Unfortunately, this safeguard does not exist in Windows or MS-DOS. Therefore, over the years, many a malicious notepad.com and dir.com have unwittingly been executed, often with full 'Administrator' rights.
Binary format
The COM format is perhaps the simplest executable format of all; it contains no metadata, only code and data, and is loaded at address 100h of some segment and executed. Because of how the segmentation model works, there's no need for relocation.
Its simplicity exacts a price, however: the binary has a maximum size of 65,280 (FF00h) bytes and stores all its code and data in one segment. This was not an issue on early 8-bit machines, but it is the main reason why the format fell into disuse soon after the introduction of 16- and then 32-bit processors with their much larger, segmented memories.
On an 8-bit machine, only 65,536 bytes of memory can be addressed (address range 0000h to FFFFh). In early operating systems like CP/M and MS-DOS, the first page of this memory, from 0000h to 00FFh was reserved for system use, and any user program had to be loaded at exactly 0100h to be executed. COM files fitted this model perfectly. Note that there was no possibility of running more than one program or command at a time: the program loaded at 0100h was run, and no other.
Examples in use
Many shell utilities such as the MS-DOS version of more used this format, as well as small, early applications such as the IBM game Alley Cat.
Malicious use
Some recent computer virus writers have hoped to capitalise on modern computer users' likely lack of knowledge of the COM command-file format, along with their more likely familiarity with dot-com Internet domain names. E-mails have been sent with an attachment named along the lines of "www.free-gift.com". Unwary Microsoft Windows users who clicked on the attachment would not be visiting a web site at http://www.free-gift.com/, but rather would find themselves running a carefully-crafted, and probably malicious, binary command called www.free-gift and giving it full permission to do to their machine whatever its author had in mind.
Note that there is nothing malicious about the COM file format itself. This example highlights an unintended name-collision between .com command files and, a decade or more later, .com commercial web sites.
| 
