DEFGEND.CVP 930921
Companion
There is a valid argument which says that "companion" (or
"spawning") viral programs are not viral at all. Companion viri
certainly do not link to existing program code, at least not in a
physical way. It might be said that they use a certain provision of
the operation system to trick you into running them rather than the
program you meant to. Thus it might be said to be closer to a
definition of a trojan.
On the other hand, companion programs do reproduce. They also form,
in a sense, a logical link with existing programs. Even though they
are very different technically, from the average user's perspective
they certainly behave in a viral fashion.
Operating systems will identify files which are executable, and
distinguish between them and files which either do not contain
executable code, or which may be executed only in special ways. On
the Atari, only files with a PRG extension can be run, although
"accessory" files can set up "resident" utilities and functions at
startup. MS-DOS, on the other hand, has three possible executable
file types, denoted by COM, EXE and BAT extensions. AOS/VS has many
more: I once saw a list of 150 executable filename extensions.
Because the different extensions provide an additional means to
distinguish a file, three different executable files, under MS-DOS,
can all have the same "file name". You can have a WP.COM, WP.EXE
and WP.BAT. Normally, a program is only invoked by calling the file
name; the extension is "filled in" by the operating system. How,
then, does the computer decide which of these three to run?
The answer is built in to the operating system. There are actually
four levels of programming to check for. First, a search is made
for an "internal" command of the command interpreter. If that
succeeds, that command is run. Thus, under MS-DOS, no program named
DIR.COM will ever be run. (Alright, unless you specify the full
file name. Don't be picky.) If the search does not succeed, the
computer looks for a file with that filename and a COM extension,
then an EXE extension, then a BAT extension. At each stage, if the
search succeeds, the file is run; if it fails, it goes to the next
level. Thus, in MS-DOS, COM takes precedence over EXE, which takes
precedence over bAT.
A companion virus can thus "infect" a STARTUP.BAT file by making a
copy of itself called STARTUP.EXE. It can infect CPAV.EXE by
creating CPAV.COM. (In fact, it is probably easiest simply to stick
to COM files, whether you are infecting EXEs or BATs.) The COM file
will take precedence, and typing "CPAV" will always call the virus
first.
copyright Robert M. Slade, 1993 DEFGEND.CVP 930921
==============
Vancouver ROBERTS@decus.ca | "Daughters of feminists love to wear
Institute for Robert_Slade@sfu.ca | pink and white short frilly dresses
Research into rslade@cue.bc.ca | and talk of successes with boys/
User p1@CyberStore.ca | It annoys/
Security Canada V7K 2G6 | Their Mums ..." - Nancy White