This type of virus infects COM files. A COM file is a small (less
than 65 kilobytes) binary executable file. That format was widely
used during DOS operating system era. However this format was
used for some utilities in Windows 95, 98 and ME. In Windows NT,
2000 and XP there also exist COM files, but they are mostly files
in EXE format and were given COM extension for backward
compatibility reasons.
A COM infector can be prepending (writes itself before the
original file), appending (writes itself to the end of the
original file), overwriting (overwrites the original file with
its own code), inserting (inserts itself into gaps inside the
original file) and companion (renames the original file and
writes itself with the original file's name). A COM infector can
be memory resident and non-memory resident. Memory resident
viruses stay active in memory, trap one or more system functions
(usually interrupt 21h) and infect files while they are accessed.
Non-memory resident viruses search for COM files on a hard disk
and infect them.
A COM infector can be non-encrypted, encrypted or polymorphic. An
encrypted or polymorphic virus consists of one or more decryptors
and a main code. A decryptor decrypts main virus code before it
could be started. Encrypted viruses usually use fixed or variable
key decryptors while polymorphic viruses have decryptors that are
randomly generated from processor instructions and contain a lot
of commands that are not used in decryption process.
Disinfection
Automatic Disinfection
Usually viruses infecting boot and executable files are
automatically disinfected by F-Secure Anti-Virus (FSAV). In some
cases, when automatic disinfection is not possible due to file
corruption or overwriting virus, a user can select disinfection
action by him/herself to make FSAV rename or delete an infected
file. In some special cases it is recommended to use specific
disinfection tools provided by F-Secure. They can be downloaded
from our ftp site:
F-Secure Anti-Virus can be purchased from our webshop or from our
authorised distributors. A trial version F-Secure Anti-Virus,
limited to 30 days, can be downloaded from our website:
All the latest versions of FSAV can download anti-virus database
updates automatically. However, these updates can be also
downloaded and installed manually from our web or ftp sites:
It is not recommended to manually disinfect files and boot
sectors from viruses as it can cause damage to a system and make
it unbootable.
System Restore issue and file viruses
If Windows ME or XP is used, it is recommended to disable System
Restore feature of these operating systems to prevent a computer
from re-infection by an already removed malware. The fact is that
System Restore feature of these operating systems might save an
infected file into the special folder and copy it back to a hard
drive it every time it's been renamed or deleted by F-Secure
Anti-Virus or by a user. Instructions on how to disable System
Restore feature are here:
It is recommended to re-enable System Restore after disinfection
in order to restore stable system configuration in the future,
if any crash or incompatibility issue occurs.
Contacting F-Secure for help
If you have problems with disinfection, please consult a computer
technician or send a message (and a sample) to our Viruslab. We
have guidelines for sending virus samples, hoaxes and
virus-related questions to F-Secure Viruslab published here:
![](/images/pixel.gif"){kind=tracking}
