Summary

COM Infector (generic description)

This type of virus infects COM files. A COM file is a small (less than 65 kilobytes) binary executable file. That format was widely used during DOS operating system era. However this format was used for some utilities in Windows 95, 98 and ME. In Windows NT, 2000 and XP there also exist COM files, but they are mostly files in EXE format and were given COM extension for backward compatibility reasons.

Disinfection

Additional Details

A COM infector can be prepending (writes itself before the original file), appending (writes itself to the end of the original file), overwriting (overwrites the original file with its own code), inserting (inserts itself into gaps inside the original file) and companion (renames the original file and writes itself with the original file's name). A COM infector can be memory resident and non-memory resident. Memory resident viruses stay active in memory, trap one or more system functions (usually interrupt 21h) and infect files while they are accessed. Non-memory resident viruses search for COM files on a hard disk and infect them.

A COM infector can be non-encrypted, encrypted or polymorphic. An encrypted or polymorphic virus consists of one or more decryptors and a main code. A decryptor decrypts main virus code before it could be started. Encrypted viruses usually use fixed or variable key decryptors while polymorphic viruses have decryptors that are randomly generated from processor instructions and contain a lot of commands that are not used in decryption process. Writeup: Alexey Podrezov, July 14th, 2003;

Description Updated: Alexey Podrezov, May 24th, 2004;

F-Secure Corporation