NEWS FROM THE LAB - Wednesday, July 7, 2004

Companion viruses Posted by Mikko @ 08:22 GMT

In this time when people get mostly hit by email or network worms, it's typical that an infected computer might have just couple of infected files, or even just one. Which might explain why we've been getting confused reports from people who've been hit by some of the latest Lovgate variants.

Lovgate spreads through a variety of ways, one of which is a "companion" infection. A companion virus will rename its target file to make the user run the virus rather than the real program. For example, Lovate.AE will locate EXE files on the hard drive, rename them to have an ".ZMX" extension instead of ".EXE" and drops itself as an .EXE file to the same directory with the same name. Lovgate.AH does the same but uses ".~EX" as the extension.

So for example a directory like this:


Will end up looking like this:


The virus might do this renaming operation to hundreds of EXE files in one go. End result: instead of finding one or two infected files, the user will find masses of them. With Lovgate, this is normal.

Companion viruses are really an old idea. In the early 1990s, they typically worked by simply dropping a program called FILE.COM if FILE.EXE existed in the same directory, exploiting the DOS execution order. For example, see the HLLC.Plane featured in our Update Bulletin 2.25 from April 1996: