Thursday, November 24, 2005

Companion (or Sprawling) Viruses

When used to infect DOS-based files, these viruses locate EXE files and place a COM file of the same name in the same directory as the EXE file.
For example, if the virus infects your Calc.exe program, it creates a file and inserts it into the same directory. If you type CALC on a command line to launch the program, DOS launches the file first because by design DOS runs COM files before EXE files. Before drawing attention to it, the infected COM file executes and often tries to infect more files, and then it loads the original EXE file. The slight delay between typing CALC and seeing the program on-screen is often barely noticeable.
Companion viruses in Windows work a little differently. Instead of placing a companion COM file in the same directory, the virus replaces the original file’s .EXE extension with a .COM extension. When the user executes the program file, the new COM file opens, resides in memory, and infects any programs opened during the current computing session.
Some companion viruses rename the .EXE file extension to something similar, such as .EXF, and retain the original EXE file name for the virus itself. When the user accesses the EXE file, the virus code activates first and then activates the intended program, similar to behavior of the DOS-based companion programs.
DeDouble.7200 is an example of a companion virus that feeds on DOS-based programs. True to its name, the virus creates infected files with a constant size of 7,200 bytes, and when it tries to infect a program on the first day of any year, it displays a message indicating that now is the right moment to buy an anti-virus program. Sounds like good advice, right?


Post a Comment

<< Home