Details
Win95.Companion

It is not a dangerous nonmemory resident companion virus. It searches for PE-EXE files (Win95/NT executable files), renames them with COM extension, then copies virus code with EXE extension. As a result of infection there are two files - original file with COM extension and companion file with EXE extension and with the virus body inside.
The virus infects no more than two files in the current directory. Then it executes its host file and returns control. If there are no host file, the virus shows Windows MessageBox and immediately closes it.
To do its work the virus uses standard Win95 routines exported from KERNEL32.DLL and USER32.DLL:
CopyFileA, ExitProcess, FindNextFileA, GetCommandLineA, WinExec,
lstrcpyA, FindFirstFileA, MessageBoxA

The virus also contains the texts:
*.EXE .COM
DeleteFileA

The last string is the name of standard Win95 routine, but it is never called.
Text added: Dec-23-1996

Related Posts

This entry was posted on Monday, July 28th, 2008 at 11:50 am and is filed under Virus Threats.