A ".com" file was a hang over from the C/PM days of the 1970's, put simply, in essense it was a memory image of the executable code that got loaded directly into memory at a known offset (100h). MS-DOS then jumped to that address and started executing the code. Thus all a malware writer had to do was start the .com code with a three byte jump instruction to get past a block of "random bytes" to the start of the XOR decryption engine. The block of random bytes could likewise be any length even random as it's length could be easily calculated from the the jump address. The decryption engine then walked it's way down the image in memory decrypting it's self as it went repeatedly using the "random bytes". Thus the payload would be decrypted and then executed. In turn the first payload could be a "Run Length Decoder" or similar to expand a second payload, as long as it all stayed within the 64Kbyte limit it would work. Most ASM programers of the time --and if you wrote PC Code back then you were an ASM programer-- could cut their own version of such XOR code in at most an afternoon using debug.com[2] and the run length coder in a day as it was most certainly not "Rocket Science".

[2] Like much else Microsoft sold debug.com was not originally developed or even purchased by them. It was written in 1980 by Tim Paterson who put it into the public domain. So Microsoft just used it in MS-DOS 2.X onwards, with as far as I remember no acknowledgment at all. For those of use that knew that, the Bill Gates "rant" letter about people copying BASIC struck us as hypocritical at best.