What Is A Companion Virus?
A companion virus is one of the most complicated computer threats. It is quite different from traditional viruses given it doesn’t modify any of the files stored in the system, but makes a copy of the same file and also places different extensions of them, usually “.COM”.
Due to this trait, it becomes difficult for the user to detect the virus given most antivirus solutions detect threats based on abnormal changes in the files.
Although many users think of it as a new type of computer virus, it is quite old and was widely prominent during the era of MS-DOS, having proliferated with the help of human intrusion.
Every time the infected files were executed, this malware would replicate multiple copies of the file, thus consuming the device’s storage.
The only exception was Windows XP as it didn’t rely on MS-DOS.
How It Works
This malware can infect all your system files without even changing the byte of the files. The companion virus basically needs two things to infect your computer system - the first one is human intervention and the second is MS-DOS. It is a very sophisticated malware and can take several steps to hide it’s visibility.
Also termed a spawning virus or cluster virus, the threat infects the files in the system by locating all the files with extensions “.EXE”. This further creates a new yet similar file with a different extension, usually .COM and places it in another location alongside the malicious code. In short, if your system has two similar files with different extensions, a companion virus has surely made a place in your system.
Once the malware is installed on the device and executed, it scans the system to find a specific file named MGM.EXE. Then it creates a duplicate file containing the virus and names it MGM.COM. In most cases, this duplicate file will be placed in the directory that has all the .EXE files.
However, this file may also be placed into any available system directory along different paths. When the user accesses the .EXE file, the device’s OS executes the .COM file instead. At this point, the virus is executed and it moves on to infect other available files on the device.
Another example of a companion virus on today's Windows platforms is one that exploits the DLL library search command. For instance, if the malware were copied as a DLL to the application directory, it would take precedence over the other DLL files with the same name in the system directory, or in one of the directories defined by the PATH environment variable.
How To Detect A Companion Virus
Although this threat tends to hide itself within the directories, there are still possible ways of detecting this nuisance with ease. The easiest way of detecting it is by tracking the .COM files. Every computer has a map of the hard drive that allows users to validate the integrity of the available files. When you analyze the map, you’ll be able to determine the files that should be there in the hard drive. Additional files can then be identified and removed.
Another way to track this malware is by installing a good behavior-based antivirus on the device. The scanner will comb through all available files, folders, and directories of the computer and weed out companion viruses and every other threat. Modern-day antivirus solutions that offer heuristic and behavioral scanning are more effective at identifying the companion virus compared to traditional signature-based antiviruses.
A companion virus, unlike most threats, can cover its tracks pretty well. However, it is easy to detect and remove if you have a clear integrity map of the files that should be a part of the computer’s hard drive. Apart from a reliable antivirus, the best defense from this malware or any other threat is to stop it from infecting your device in the first place. Hence it is a good idea to be cautious of the websites you visit, the files you download, and the email attachments you open.