What is a Companion Virus?

A companion virus is an older type of computer virus that disguises itself as a legitimate program by using the same file name but a different file extension. Instead of modifying the original file, it creates a separate malicious “companion” file that runs before the real program.

For example, if a real program is named accounts.exe, a companion virus may create a malicious file named accounts.com in the same location. When a user runs accounts, the system may execute the malicious file first, depending on how the operating system handles executable file priority.

How Does a Companion Virus Work?

A companion virus takes advantage of how some operating systems search for and run executable files. In older DOS-based systems, .com files often had execution priority over .exe files with the same name.

The attack usually works like this:

• A legitimate file already exists on the system.
• The virus creates a malicious file with the same base name.
• The malicious file uses a different extension or location.
• The system runs the malicious file before the real one.
• The virus may then launch the original program to avoid suspicion.

This made companion viruses harder to notice because the original program could still appear to work normally.

Why are Companion Viruses Risky?

Companion viruses can execute malicious code without directly changing the original application. This can make them harder to detect using simple file-size or file-integrity checks.

Once active, a companion virus may spread, install additional malware, alter files, steal data, or disrupt system behavior. The risk increases when users run files from untrusted folders, removable drives, email attachments, or downloaded packages.

Are Companion Viruses Still Relevant?

Classic companion viruses are mostly associated with older DOS and Windows environments. However, the general idea still matters. Modern malware may use similar tactics, such as masquerading as trusted files, abusing file paths, or placing malicious files where users or systems expect legitimate ones.

So, while the original technique is less common today, the lesson remains useful: file names alone do not prove that a program is trustworthy.

How Can Organizations Reduce the Risk?

Organizations can reduce exposure by:

• Showing file extensions instead of hiding them.
• Blocking unknown or unauthorized executables.
• Avoiding software from untrusted sources.
• Using app allowlisting where possible.
• Keeping operating systems and endpoint security tools updated.
• Restricting user permissions.
• Monitoring suspicious duplicate file names or unusual executable activity.

How Hexnode Helps

Companion viruses depend on users or systems running the wrong file. Hexnode helps reduce this risk by giving IT teams stronger control over what can run on managed endpoints.

With Hexnode UEM, organizations can manage approved apps, enforce device policies, restrict unauthorized applications, and monitor device compliance. For threat visibility, Hexnode XDR helps teams detect, investigate, and respond to suspicious endpoint activity that may indicate malware behavior.