This chapter builds on the knowledge learned in Chapter 3 by covering viruses and their effects on the Windows. It covers the effects of DOS viruses running under Windows and discusses viruses specifically created to infect Windows executables.
In a PC world where Windows is king, there is still a significant population of functioning DOS viruses. They do not understand how to manipulate Windows executables and the newer file storage types, so their overall ability to spread on a Windows system is decreased in most cases. Still, some do work, and the ones that don’t, can still cause bootup and runtime errors. Under a DOS Virtual Machine (DVM) session, DOS is emulated well enough to allow most DOS viruses lots of opportunity to do damage.
This section will summarize the overall effects DOS viruses have on Windows, followed by specifics for each platform.
After the POST routine of a PC is finished, the first boot drive is checked, and the Master Boot Record (MBR) is located. The MBR then tells the PC where to locate the primary boot sector of the default operating system. This process is identical for every PC regardless of the operating system. Thus, a boot virus located on a booted floppy will be able to successfully infect the boot area of all hard drives. When an infected PC boots, the infected boot sector is given control. During this stage of the booting process, the virus can execute its payload damage regardless of the operating system. In many cases, boot viruses check for particular dates or events to initiate damage routines or display messages. These damage routines are usually accomplished using ROM BIOS interrupts (e.g., 13h) and they will be successful.
If the newly infecting boot virus declines to initiate a payload routine during the first stage of the bootup, usually its next priority is to locate the default boot sector and replace it with viral code. Most boot viruses will be successful here, too. Next, a boot virus must turn over control to the original boot sector, start the default operating system, and place itself in memory (so it can infect accessed diskettes). Depending on the boot virus mechanism and the operating system, it may or may not be successful. The virus might not understand how to correctly infect the new type of boot sector, or it won’t understand the new file subsystem, or the operating system in control may prevent its future actions. In any case, the boot virus may not be successful in its later attempts. And if it isn’t, the boot virus will not spread far. However, its misguided attempts can easily disable a PC from booting properly and cause data loss.
DOS programs infected in Windows by a DOS virus usually exhibit the same signs and symptoms as if they were infected without Windows (i.e. file growth, missing free memory, program sluggishness, etc.). DOS viruses infecting Windows programs is a different story. Because DOS viruses do not know how to correctly infect Windows platforms, the most common sign of infection is program corruption. Infected program files error out and are unable to execute. If a DOS virus corrupts a key operating system file, Windows either will not load, or it will load with boot errors, or in a diminished state.
Both boot and DOS file viruses can cause problems to the Windows 3.x platform.
Because Windows 3.x has a DOS boot sector underneath, boot viruses can easily infect and replicate. With versions 3.1x and above, an error message indicating that 32-bit disk support has been disabled might be presented, but that is about all you will notice. Boot viruses can infect the boot sectors of accessed floppy diskettes without causing noticeable disruption. Multipartite viruses, which can infect executables and boot sectors, will have little problem spreading as a boot virus, but will probably encounter problems when infecting executables.
Windows 3.x is started with DOS firmly in control. Viruses infecting DOS programs can infect files started in a DVM without many problems. File-overwriting viruses will be able to spread under Windows 3.x as they normally would in DOS. Overwriting viruses always destroy the victim’s executable, and hence, understanding the new NE file format is not a prerequisite. DOS parasitic viruses will usually fail to properly infect Windows executables, instead causing immediate file corruption and subsequent error messages. There are a few DOS viruses, for example the Termite virus, which, either through luck or a brief understanding of Windows file structures, will be able to successfully use Windows executables as hosts.
Many viruses are known as
They can be written in a variety of languages and infect many types
of hosts because they attach themselves at the beginning of a mostly
unmodified host file. As long as the prepending virus can execute, it
will run, and then (hopefully) execute the underlying saved host
file. Using this method, many DOS prepending viruses will be able to
successfully function under different Windows platforms.
By the time Windows 95 came around, Microsoft was starting to build in limited antivirus features, but not enough to stop the spread of DOS viruses.
Although Windows 9x does not have a built-in antivirus scanner, it does include several features that can thwart DOS computer viruses. First, it blocks malicious programs trying to directly access the hard drive using interrupts 25h or 26h (absolute disk read/write). If a program attempts to use those interrupts, Windows 9x will attempt to intercept the call, lock the system, and display the following message: “Windows has disabled direct disk access to protect your long file-names...The system has been halted. Press CTRL+ALT+DELETE to restart your computer.” Not elegant, and it doesn’t always work, but it prevents a lot of viruses from spreading.
Second, Windows 9x monitors interrupt 13h (disk services) and
maintains a list of programs that are currently hooking it. With each
reboot, Windows 9x compares the list of programs currently hooking
interrupt 13h with the previously recorded list. If Windows 9x notes
any differences, it then compares it to a list of known safe programs
and device drivers that hook interrupt 13h. The
maintained in a file
IOS.INI located in the Windows directory. If the
new program is not on the safe list, Windows generates the following
warning message: “WARNING: Your computer may have a virus. The
Master Boot Record on your computer has been modified. Would you like
Performance tab is shown
for further details. You can then view the
IOS.LOG file for more details. It’s
important to note that the warning message only appears on the first
reboot after the initial infection. If ignored and the PC is booted
again, the virus could be successful and the warning message will not
be shown again.
The MBR modification warning message will be shown if the culprit is a pure boot infector, like the Form virus. However, tests have shown that a few MBR viruses can infect Windows 9x without setting off the alert, including Michelangelo and Telefonica.
As noted previously, if Windows 9x has been forced into
mode, then the
IOS.LOG file that can be read to locate the
file-hooking interrupt 13h or force Windows out of 32-bit file system
mode. These Window 9x features are good for users and bad for DOS
Boot viruses are able to infect and spread in Windows 9x
environments, although again, bootup errors can occur. Windows 9x
hard drive file systems are controlled by new interrupt calls and
device drivers. Most DOS virus droppers will not be able to infect a
hard drive while Windows 9x is running, although a few, like the
does not let most viruses write to the boot sector of floppy
diskettes. Some viruses will delete the driver in order to force 9x
machines to use 16-bit disk drivers and be able to replicate under
Like, Windows 3.x, every DOS program or DVM window contains a copy of
the real-mode devices loaded from the
If a virus has infected a program initialized in
session, the virus will automatically be in control of each DVM
started, and subsequently, any DOS programs started. Since Windows 9x
has no file-level security, viruses are free to roam the file system
and infect other hosts. If a user starts an infected program in one
DOS window, the virus can infect
or some other common file in memory and automatically infect files
started in another DOS window. DOS viruses infecting the new NE or PE
executable types will usually result in file corruption.
Since NT is not in control of the PC until the second half of the boot process, boot viruses can readily infect an NT PC. An infected diskette that is accidentally booted will be able to infect the boot sector or MBR of any hard drives using its normal methods. And any payload damage the virus has that runs before NT has control can cause harm. Because of this, boot viruses can and do cause damage to NT systems.
Two questions remain. First, will Windows NT boot its normal way without you noticing the boot virus infection? Second, if Windows NT does boot without error can boot infectors infect accessed floppy diskettes to spread even further? If Windows NT boots with an infected FAT partition and the virus doesn’t modify the partition table, chances are the boot will be successful without Windows NT noticing any changes. The virus will be activated upon reboot, and eventually start the original FAT boot record of Windows NT. However, once Windows NT has loaded and removed real-mode drive access, boot viruses will be unable to spread further (and are unable to cause more damage during the current session). Even stealth routines, which in DOS would hide the virus, are nullified.
Boot viruses usually place the original sectors somewhere else on the disk. Many do not protect that sector and if something overwrites it, Windows NT will not be able to boot.
Viruses that implement an encrypting or stealth routine during the initial stages of the boot, and again later after NT is booted, will have their latter actions stopped. And this isn’t always good. For instance, the Monkey MBR virus modifies the partition table to point to its own viral code, but uses stealth routines to point partition-table inspectors to the original table. After NT is in control, it queries the partition table to set up the logical disk volumes. The Monkey’s stealth routines, which would have otherwise pointed NT to the original table, are blocked by NT. So, NT isn’t able to find the original partition table and fails to boot properly. Other viruses, like One-Half, which use complex encryption or stealth routines, can cause more damage under NT, since NT prevents them from trying to hide their damage when the data is retrieved by the user.
NT with NTFS partitions will usually be unable to start after a boot virus infection. This is because NT with a NTFS boot partition will read the boot sector twice: once during bootup, and once just after NT gets control. NT will look to the boot sector a second time to recognize the logical disk volumes, fail to find the appropriate NT boot code, and crash. Surprisingly, some stealth boot viruses have a better chance, depending on their coding, to allow NT with NTFS to load without crashing. However, once NT is loaded all stealth routines are prevented, and the same rules for FAT partitions apply.
In a Virtual DOS Machine (VDM), DOS is
thoroughly emulated and viruses can easily infect other DOS files
accessed within the VDM (limited only by NTFS security). File
infectors will be able to infect any DOS file executed with the VDM
and search the hard drive for more victims. A file virus could infect
COMMAND.COM, which is kept in NT for backward
compatibility, and thus be available (and potentially active) in any
future VDM opened. Viruses that attempt to call ROM BIOS interrupt
routine services to trash the hard drive will be prevented from
Windows program files infected by a DOS virus will usually be corrupted and unable to start, thus limiting the spread of the virus. If any of these files are crucial to NT’s booting or operational capacity, NT could be prevented from functioning. Luckily, Windows 2000 and ME have Windows File Protection (WFP) and System File Protection (SFP) and can implement self-repair.
Further, DOS file viruses are limited by the file access rights of the logged on user. A strictly protected Windows NT system with NTFS partitions prevents normal users from modifying executable and system files, and will prevent file viruses from causing any harm. However, floppy diskettes are always formatted with FAT, and DOS viruses can potentially infect files located there.
As you have read, the death of DOS viruses on Windows platforms has been greatly exaggerated. In fact, if it were not for the new file and partition formats (which aren’t backward compatible), very little would have been done to prevent the DOS virus from spreading. Yes, each version of Windows has added more protection against computer viruses, but if not for the unintended side effect of normal obsolescence, this book might solely be about DOS viruses. The latest versions of Windows, with their self-repair mechanisms, have taken the first real steps toward a real virus protection solution.