Windows Viruses on Windows Platforms

To date there is no such thing as a Windows boot virus, although theoretically NT is ripe for such an exploit. Windows executable viruses, however, are able to spread on different Windows versions depending on how they were written and the platform they land on.

First Windows Viruses

The first native Windows virus, WinVir, didn’t appear until April 1992, a full two years after Windows 3.0 was released. Although it infected Windows .EXE files, it contained no Windows API calls and instead resorted to DOS interrupts, which showed even two years later that virus writers didn’t really understand the Windows environment. When WinVir was run, it would infect every Windows .EXE in the current subdirectory, and at the same time disinfect the program it was initially launched from. Virus writers didn’t wait as long to develop a 9x virus, although Windows NT proved a tougher nut to crack.

Released in Internet newsgroups in February 1996 by the Australian VLAD virus writing group, Boza was the first Windows 95 virus. When run, the direct infection (nonresident) virus would look for three 32-bit executables to infect in the current directory. If it couldn’t locate three hosts, it kept moving up a directory level until it found three files to infect. Eventually, it would stop at the root directory. On the 30th of every month, Boza will display a message box announcing its presence and list other viruses programmed by the VLAD group.

Released in late 1997, Win32.Cabanas was the first virus to work under Windows NT. Complex enough to be buggy in its first release, it is a memory-resident, stealth, armored, encrypted virus. When run, it will immediately infect all Windows EXEs (checking for the MZ signature) and SCR (screensaver files) in the %Windir% and %Windir%\System folders. Using some unique NT file handling routines, it infects all of these files in a few seconds. It hooks interrupts and APIs, and can infect files listed from a DIR command. It will try to hide increases in host file size. It works in Windows 9x and Windows 3.x with the Win32s API. A great article about it can be found at http://www.peterszor.com.

Today, viruses targeted at a particular version are being written and released while the latest Windows version is in beta testing. Windows virus writing mimics, on a smaller scale, the Windows development process. Virus writers have virus beta testers, release candidates, disclaimers, product launches, and press releases. Obviously, the virus-writing groups have grown more sophisticated, but so have the tools.

Windows viruses no longer have to be written in assembly language, as several high-level Windows programming languages make the job easier. Plus, the Windows file structures have been documented more thoroughly and Microsoft has been more forthcoming with programming details. Early on it was hard for even legitimate programmers to get access to Microsoft’s programming constructs and file formats. Now, free tutorials are available all over the Web. Programming tools are coming with GUIs so that it is possible to write complete programs without ever writing the first line of code. Today, we have over 600 different 32-bit Windows viruses, and on a whole, they are more sophisticated than their DOS counterparts.

Effects of Windows Viruses

Windows viruses come in three forms: 16-bit, 32-bit, and platform-specific. 16-bit viruses infect Windows 3.x platforms and new executables, but are often able to infect Microsoft’s 32-bit platforms. Many Windows viruses still contain a fair amount of 8- and 16-bit code, and as such, can easily interact with the DVM environment running under Windows 3.x, Windows 9x, and Windows ME.

Viruses that can operate on more than one 32-bit platform are known as Win32 viruses. If a virus has platform-specific coding, it might be known as a Win95, WinNT, or W2K virus. Half of all known 32-bit Windows viruses are known as Win32. About 75 percent of those will work on Windows 2000. The other 50 percent of 32-bit viruses are known as Win95 viruses, which means they only work completely on Windows 9x platforms. Most Win95 viruses use the virtual device driver (VxD) method to spread, and NT and 2000 platforms do not use or allow VxD files. In a strange twist, Windows 2000 contains APIs that were available in Windows 9x, but not NT. This means some viruses might be able to run on Windows 2000 and 9x, but not Windows NT.

Tip

Much of this material in this section was taken from Symantec’s Peter Pzör and his papers on 32-bit viruses (http://www.peterszor.com). They can also be found on Symantec’s antivirus (http://www.sarc.com) and Virus Bulletin’s (http://www.virusbtn.com) web sites.

Viruses written correctly to infect a particular platform will be able to spread readily and invisibly, for the most part, although the new file protection (xFP) mechanisms of Windows ME and Windows 2000 will prevent many viruses, worms, and Trojans from spreading. For instance, many viruses and Trojans modify KERNEL32.DLL. With file protection enabled, a default state, the KERNEL32.DLL will be corrupted, and then immediately replaced by a clean copy before further harm can be done. A growing number of new viruses, including W2K.Installer and Win32.CTX intentionally do not infect xFP-protected files. It is expected that future viruses and worms will be successful in bypassing xFP, either by disabling it or by exposing weaknesses in its implementations. After all, xFP was not explicitly designed to prevent MMC.

Windows virus implications

Many Windows viruses, if they don’t try to modify protected files will have no problem infecting programs and spreading. Windows 32-bit viruses, on the whole, take greater pains to avoid detection than their DOS predecessors. They will use any advantage, such as running multiple threads or secondary streams, to defeat antivirus scanners. Others use random execution, entry point obscuring, multiple virus code sections, coprocessing instructions, and advanced encryption algorithms to defeat scanners. Antivirus researchers will tell you much of the virus code being written today is significantly more complex than the code they examined five years ago. Virus writers have finally had time to catch up. Even the natural maturation of programming tools makes detection harder. Most 32-bit Windows viruses are written in high-level languages (HLL), like C or Visual Basic, which create very similar-looking program files. This complicates detection and repair. And because most viruses don’t take great pains to save host information, it can be difficult for antivirus programs to remove the virus and return the host file to its complete, original state.

Get Malicious Mobile Code now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.