Companion Viruses

Companion viruses also infect program files; however, they are unique in that they don’t attach themselves to existing program files. Instead, the companion virus infects by creating a new file and causing DOS to execute this new program rather than the original one.

Companion viruses use numerous strategies. One such virus creates a COM file with the same filename and in the same directory as an existing EXE file.

When a user types the name of a file to execute at the DOS prompt and both a COM and EXE file of the same name reside in the same directory, DOS always executes the COM file and ignores the EXE file. This type of companion virus, for example, could create a file named FORMAT.COM in the DOS directory, knowing that FORMAT.EXE is a popular and frequently executed file that also resides in the DOS directory. (The average user could easily overlook the addition of a new file with such a name. In addition, some companion viruses actually conceal the file by changing its attribute to hidden.)

This technique ensures that when a user attempts to execute the FORMAT program, DOS loads the companion virus rather than the original program. Finally, the companion virus runs the original FORMAT.EXE program and the user is none the wiser.

Another type of companion virus is known to rename an existing file and then assume the original name. The virus might change the name of a file from FOO.EXE to FOO.DAT, for example, then rename itself FOO.EXE. When FOO.EXE is executed, the companion virus then gains control and can infect at will. One of the last tasks this companion virus takes on is to launch the original program, in an effort to minimize the user’s ability to sense foul play.

In yet another strategy, the companion virus assigns itself the same filename and extension as an existing file. However, it places itself in a directory earlier in the path than the directory within which the target program resides.

The DOS path facility enables the user to execute programs not necessarily present in the currently active directory. If the user executes such a program, DOS searches through each of the directories based on the order in which they are specified in the path. After DOS finds a program that matches the criteria, it stops the search and executes the program.

If the user tries to execute the infected program from a directory other than that in which the original program resides, the virus program, rather than the original program, executes, because the virus places itself in an earlier directory. As with other viruses, after the virus completes its mission, it transfers control to the original program.

For example, consider the following path statement:

PATH C:\NDW;C:\WINDOWS;C:\DOS;C:\AFTERDRK

A companion virus places a copy of itself in a file called FOO.EXE in the Windows directory. The original FOO.EXE resides in the AFTERDRK directory. When the user attempts to execute the original program, the viral version of FOO.EXE executes.

Potential Damage by File-Infecting Viruses

Currently, more than 7,000 known DOS file viruses exist. Although the majority of these viruses don’t do any intentional harm, many of them can cause significant damage. Like any other program, a computer virus can include bad code (most often referred to in programming vernacular as a bug).

Regrettably, the virus writers of the world don’t have large quality assurance departments to test their work.

Most damage caused by file viruses results from buggy virus code. Luckily, the unintentional damage done by file-infecting viruses usually affects easily replaceable program files as opposed to precious data files. Perhaps the most common form of damage to program files is due to improper infection techniques. This section highlights several types of damage that occur to executable files due to buggy virus infection.

For instance, COM-format files are restricted by DOS to be under 65,280 bytes long. If a virus infects a COM file whose length is close to this limit, the virus may push the length of the executable file over its limit. If the user tries to execute the infected program later, DOS refuses to execute the program. Unfortunately, many COM-infecting file viruses infect COM files without checking if, once infected, the target file length exceeds the allowable size.

Some file viruses determine the executable program type by examining the filename extension (COM or EXE). Other viruses examine the actual contents of the file to determine its format. A virus that uses the former technique may end up corrupting programs under DOS. This happens because DOS doesn’t use the extension of the executable file to determine the type of the executable file. COM-format files can be named using EXE extensions under DOS and work correctly (and vice versa). NDOS.COM, a commonly used command shell file, for example, actually has an EXE file format.

Assume for a moment that the user has an EXE format program incorrectly named FOO.COM. If the virus assumes that the FOO.COM program is of COM-format, because of its extension, and infects the program based on this assumption, it necessarily infects the program incorrectly. The EXE and COM formats are sufficiently different such that applying one infection method to a file of the other format causes the program to become corrupted.

This is akin to a blindfolded surgeon operating on a kidney when he thinks he is performing heart-bypass surgery. The mistaken surgery most likely results in the “corruption” of the unfortunate patient’s kidney.

Recall that the typical EXE file consists of a header portion and the memory image of the actual program. When a user executes an EXE program, DOS loads its memory image into RAM and, after some processing, transfers control to the program’s entry point. DOS determines the size of the memory image from fields in the EXE header as opposed to the file’s size on disk.

Therefore, EXE files can be any size, as long as the program’s memory image falls below 640 KB (or whatever the available conventional memory limit). Often, software producers place additional “overlay” data or code modules in EXE files after the program’s memory image. As long as the EXE header specifies an appropriate memory image size for the program, DOS never loads this “overlay” data/code into the computer’s memory. Using standard DOS system services, however, the program itself could load this information later.

Windows executable files also use this mechanism to couple DOS programs with Windows programs. Every Windows EXE file has a so-called “DOS stub” program that prints out a This program requires Microsoft Windows message if the program executes from DOS. In these files, the memory image size of the DOS program is, in most cases, less than 2 KB.