How a computer virus presents itself is dependent on the type of virus and the Windows platform infected. Typically, the older and more widespread the virus, the less likely it will be able to spread and cause harm. In this section, we will cover the signs and symptoms of computer virus infection in Windows.
Some signs of virus infection are:
The normal signs and symptoms of successful computer virus infection apply. Hacker-sounding taunts, such as “Gotcha” or “You’re infected,” should be a major clue. Randomly appearing graphics, sounds, file disappearance -- all of these should be taken as possible signs of virus infection.
Sudden, unexpected executable file growth and/or date changes. This is one of the quickest ways of spotting a computer virus, but you have to know what to look for. Windows will frequently update executables (i.e., EXEs, DLLs) as a normal part of business. The trick is to look for widespread executable updates at the same time as other suspicious symptoms started occurring.
Unexpected modification of startup areas (AUTOEXEC.BAT) registry, Startup group.
Sudden, unexpected long-term hard drive accessing after your program or data is loaded could be suspect.
Windows 16-bit and 32-bit
program files infected with a DOS virus will usually fail to run. DOS
viruses infecting newer versions of
may result in “Bad or missing command interpreter”
messages and the system is halted. When an infected program is
started, Windows immediately produces a fatal error message, or in
some instances, Windows locks up or displays blue screens. An error
message may state that an “Invalid Page Fault” occurred,
a program attempted to write to an illegal memory location, or the
file you are attempting to execute could not be located. The last
error message is confusing because many times you are double-clicking
on the same executable file Windows is saying it could not locate
(don’t be fooled by a misdirected shortcut). Be especially
suspicious if Windows executables will not start, but DOS programs
work fine; or vice versa. Another virus-created error message stating
“This version of Windows does not run on DOS 7.0 or
earlier” when you haven’t installed new programs should
clearly lead you to suspect a DOS virus.
With Windows 3.1, viruses frequently caused the following Windows warnings, “The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. There is an unrecognizable disk software installed on this computer” or “This application has tried to access the hard disk in a way that is incompatible with the Windows 32-bit disk access feature (WDCTRL). This may cause the system to become unstable.” Inability to create a temporary or permanent swap file can be caused by a boot virus. Later versions of Windows 3.x produce error messages suggesting that computer viruses could be responsible when presenting these types of errors.
Windows 9x systems may boot without an error message, but reveal that
the file or virtual memory system is in
. You can check this by choosing
On most systems you should see the file and virtual memory system in
32-bit mode. Systems running real-mode processes
could be the result of Windows detecting a program that hooks the
disk’s write-interrupt routine. Although there can be several
legitimate causes (i.e. third-party driver, antivirus program, etc.)
for this type of symptom, computer viruses are a likely cause. If the
driver name listed as causing MS-DOS Compatibility mode is
definitely suspect a boot virus. You can edit
to determine what file might be causing the conflict.
If you’ve been around
Windows NT any decent amount of time, you are probably already
familiar with the infamous
Blue Screen of Death
Fatal System Stop
(Windows 2000 BSOD is actually black).
They have been around since the days of Windows 3.0, and are present
in Windows 9x, but are more common in Windows NT. When Windows
encounters a serious error, it will immediately halt the system and
display a debugging screen. If you are not used to BSODs, they can be
a little intimidating -- lots of numbers and filenames. What is
displayed on the screen is different for each platform. Windows NT
gives the most information. Windows 2000 has dropped a lot of the
information that was displayed in the NT version, but all versions
give you the error message text and an error number, and are followed
by the drivers and programs associated with the error. A good
troubleshooter can use this information to identify the offending
device driver or program, or use it to research Microsoft’s
Knowledge-Base articles for a remedy.
If a boot virus is successful in writing itself to an NTFS boot disk,
NT will almost always show blue screen with a
In the case of boot viruses, STOP messages will most often begin with
error codes 0x0000007A, 0x0000007B, or in the case of Windows 2000,
0x00000077. All of these STOP errors are the result of NT not being
able to correctly read the boot drive or paging memory.
Sometimes the solution is worse than the problem. STOP 0x0000001E errors are commonly caused by misbehaving antivirus programs. Microsoft, and just about every Windows software developer, recommends that all antivirus programs not be active when installing new software. Failure to do so has resulted in many problems and corrupted software installations. At the very least, memory-scanning antivirus software will significantly slow down the software install process.
Many computer viruses are discovered during the Windows installation process. When Windows 95 first came out, thousands of users complained to Microsoft that the Windows 95 Setup Disk 2 was infected with a virus. Users would start installing Windows, but when they came to Disk 2, Windows indicated the disk was bad. Many users did a virus scan and detected a boot virus on the new disks and incorrectly blamed the Redmond, Washington company. Microsoft wasn’t distributing infected diskettes, the users’ systems already contained a boot virus, which infected the new diskette while Windows was saving setup information. An “Invalid system disk” message can appear after the first reboot on an infected Windows 9x system, as Windows goes to load itself for the first time. A “Packed file corrupt” error message can occur during the initial install stages on an infected machine.
Boot viruses can cause Windows NT to state, “The hard disk containing the partition or free space you chose is not accessible to your computer’s startup program.” An infected Windows NT PC with a NTFS boot partition may say “A kernel file is missing from the disk. Insert a system disk and restart the system.” A common sign you can see when installing Windows NT on an infected system is that NT begins to load, goes black, and then reboots, and continues repeating the cycle. Again, an infected boot sector can be suspected. Occasionally, Windows NT will be quite direct with some of its error messages, like “MBR checksum error: a virus may be present. Verify Master Boot Record integrity”.
Microsoft programmers are getting better at detecting virus-like situations and the error messages they cause. Of course, the virus writers are fighting back. Some boot sector viruses, like Gold-Bug, will detect the Windows startup process, disinfect the boot sector on the fly, and then reinfect after Windows is through checking.
Windows is very careful about what hard disk areas it uses when creating permanent swap files during the initial install. If, while creating a new swap file, Windows detects an incorrectly modified disk or disk subsystem, it will refuse to create a swap file. In Windows 3.x, the message might be, “The partitioning scheme used on your hard drive prevents the creation of a permanent swap file.” Viruses, trying to intercept the file-write interrupts, can cause swap file problems and error messages.
In summary, as we all know, Windows has enough problems and errors without a computer virus being involved, but an active PC with any of these symptoms should be checked for computer viruses. Suspect a nonvirus problem first, if you know the PC hasn’t been exposed to any new programs, files, diskettes, new emails, or Internet accesses.