DEFGEND.CVP 930921 Companion There is a valid argument which says that "companion" (or "spawning") viral programs are not viral at all. Companion viri certainly do not link to existing program code, at least not in a physical way. It might be said that they use a certain provision of the operation system to trick you into running them rather than the program you meant to. Thus it might be said to be closer to a definition of a trojan. On the other hand, companion programs do reproduce. They also form, in a sense, a logical link with existing programs. Even though they are very different technically, from the average user's perspective they certainly behave in a viral fashion. Operating systems will identify files which are executable, and distinguish between them and files which either do not contain executable code, or which may be executed only in special ways. On the Atari, only files with a PRG extension can be run, although "accessory" files can set up "resident" utilities and functions at startup. MS-DOS, on the other hand, has three possible executable file types, denoted by COM, EXE and BAT extensions. AOS/VS has many more: I once saw a list of 150 executable filename extensions. Because the different extensions provide an additional means to distinguish a file, three different executable files, under MS-DOS, can all have the same "file name". You can have a WP.COM, WP.EXE and WP.BAT. Normally, a program is only invoked by calling the file name; the extension is "filled in" by the operating system. How, then, does the computer decide which of these three to run? The answer is built in to the operating system. There are actually four levels of programming to check for. First, a search is made for an "internal" command of the command interpreter. If that succeeds, that command is run. Thus, under MS-DOS, no program named DIR.COM will ever be run. (Alright, unless you specify the full file name. Don't be picky.) If the search does not succeed, the computer looks for a file with that filename and a COM extension, then an EXE extension, then a BAT extension. At each stage, if the search succeeds, the file is run; if it fails, it goes to the next level. Thus, in MS-DOS, COM takes precedence over EXE, which takes precedence over bAT. A companion virus can thus "infect" a STARTUP.BAT file by making a copy of itself called STARTUP.EXE. It can infect CPAV.EXE by creating CPAV.COM. (In fact, it is probably easiest simply to stick to COM files, whether you are infecting EXEs or BATs.) The COM file will take precedence, and typing "CPAV" will always call the virus first. copyright Robert M. Slade, 1993 DEFGEND.CVP 930921 ============== Vancouver ROBERTS@decus.ca | "Daughters of feminists love to wear Institute for Robert_Slade@sfu.ca | pink and white short frilly dresses Research into rslade@cue.bc.ca | and talk of successes with boys/ User p1@CyberStore.ca | It annoys/ Security Canada V7K 2G6 | Their Mums ..." - Nancy White