Tuesday, June 06, 2006

what is a companion virus?

a companion virus is a virus that exists as a separate (companion) program to the host program...

it may not be obvious how something like this would be able to meet the definine criteria of a virus and may sound more like a worm, however a companion virus is able to infect host programs without modifying their contents (that is how they can be separate programs)... it does this by taking advantage of operating system features that allow it to be executed instead of it's host program...

for example - in DOS if you type a program name without specifying the path and that program happens to not be in the current directory, DOS will search each directory in your PATH sequentially until it finds a program with that name or it reaches the end of your PATH... a path companion virus need only assume the same name as an existing program on your computer but place itself in a directory closer to the beginning of your PATH so that DOS finds the viral program first and executes it instead of the program the user intended...

another type of companion infection utilizes the fact that if a program name is specified without a file extension, DOS will look for *.com files before it looks for *.exe files so the virus need only copy itself as ProgramName.com in the same directory as the original ProgramName.exe in order to get executed...

some flavours of *nix (as well as some alternative DOS shells) have a command alias facility that can also be used for companion infection...

additionally, a virus could rename or make a backup copy of the host program and then replace the original with itself and be yet another kind of companion virus...

the original program is generally retained so that the companion virus can execute it after the virus itself gets executed - this makes the system appear to behave properly since the program you intended to execute does get executed....

back to index

0 comments: