O'Reilly logo

Malicious Mobile Code by Roger A. Grimes

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Windows Virus Examples

Windows viruses are as varying as their DOS predecessors, although because of the challenges of programming in a Windows environment, there are less of them currently. Windows environments afford virus writers who are willing to learn 32-bit programming a plethora of new ways to be malicious. Often, Windows viruses are part virus and part Trojan. Here are a few examples.

WinNT.Remote Explorer

Discovered on December 17, 1998, Remote Explorer was the first virus to load itself as a Windows NT service and the first to steal an administrator’s security rights to spread. Believed to have been released by a disgruntled employee, the Remote Explorer attacked MCI WorldCom’s global network. The virus is written in Microsoft Visual C++ and is quite large for a virus at 125KB and 50,000+ lines of code. Some experts estimated that it took a knowledgeable individual(s) over 200 hours to write.

When an infected executable is started on an NT machine and the current user has Administrator privileges, the virus installs itself in the \WinNT\SYSTEM32\DRIVERS folder as IE403R.SYS and runs itself as a NT system service. Running as a service, the virus gets loaded each time NT loads. Once installed, the EXE portion of the virus releases control (behaving more as a Trojan dropper). The registry will have a new key, HKLM\System\CurrentControlSet\Services\Remote Explorer, added to reflect the new service. If the current user is not an Administrator member, the service install will not work, but the virus will still be loaded into memory.

It will check the security privileges of the logged-on user every 10 minutes while waiting for a Domain Administrator. When an administrator does log on, it then uses the administrator’s security credentials to install itself as a service, and steals the new credentials to infect other trusted networks. The virus uses an impressive routine to steal the Domain Administrator’s security clearance: it opens another process (using the OpenProcessToken Windows API), usually EXPLORER.EXE , duplicates the security token assigned to that process, and then uses the stolen token to run a copy of itself under the administrator’s credentials using the CreateProcessAsUser API.

The virus is visible as IE403R.SYS in the Task Manager’s process list and in Control Panel Services as Remote Explorer. The infection routine is set to run in low-priority mode during peak business hours. Authorities think this was so the virus would be less noticeable. The infection routine randomly scans local and shared drives and infects EXE files, but intentionally skips the \WinNT\SYSTEM, \TEMP, and \Program Files folders. The virus stores the host file’s code at the end of itself. When the infected file gets run, it copies the original file out to a .TMP file to allow it to be executed after the virus runs. Although it is a PE infector, the virus fails to verify executable type, and will corrupt non-PE EXE files. It will not infect or corrupt files with .OBJ, .TMP, or .DLL extensions. Non-NT machines can host infected files, but are not subject to further virus infection. The virus compresses, and indirectly corrupts certain files, including .HTML and .TXT files. If it can’t infect a file that it finds, it encrypts and corrupts it. The infection process uses a file, called PSAPI.DLL to do its dirty work. If deleted, the virus will recreate the file.

Remote Explorer contains a hiding and cleaning routine designed to cover up its tracks. It looks for windows with the " TASKMGR.SYS -- Application Error” and "Dr. Watson for Windows NT” titles and closes them. It also deletes the Dr. Watson log file (DRWTSN32.LOG). This routine attempts to hide error messages resulting from its activities. All and all, Remote Explorer is a sophisticated virus. We are lucky that MCI WorldCom responded quickly enough so that the virus did not spread much beyond its own networks. Remote Explorer was not designed to spread over the Internet.


Like a lot of malicious code firsts, Remote Explorer was also full of bugs and wasted code. Of the 50,000 lines of code, only a few thousand were the actual virus. The rest was unused C++ code libraries. And it was unable to check the process list without using PSAPI.DLL, which is not part of the standard NT installation.


However, since then, there have been many viruses and Trojans that improve on the tricks learned from Remote Explorer. RemoteExplorer could only infect files the user had permission to modify (working in User mode). WinNT.Infis is a memory-resident virus that arrived 10 months later in the form of an infected executable. It loads itself as a kernel mode driver called INF.SYS . This means it gets loaded every time Windows is started and has higher than normal file security permissions. Using this new method of infection, it can access files even if the logged-on user doesn’t have rights to manipulate the code. Other executable files are infected when opened. Using several undocumented NT/2000 API’s, Infis bypasses the Win32 subsystem to work under Windows NT 4.0 and Windows 2000 exclusively. What is important about Infis is that it accesses NT’s kernel mode, and thus has direct access to ports and hardware outside of Windows NT’s control. Luckily, written as a proof-of-concept virus, it has no damage payload. It could, if it wanted to, format the hard drive, delete files, or interact with the computer hardware.


Written by a Taiwanese college student as a protest against antivirus companies, CIH (named after the virus author’s initials) was the first virus that could cause computer damage so bad that it often required hardware replacement. Millions of PCs have been hit by it. South Korea alone had 240,000 PCs hit in one month. It infects PE files and places itself in unused file areas within the host. Since the virus infects PE files, it can be present on Windows NT machines, but since it uses pure Windows 95 calls, it will refuse to run. CIH will detect that it is located on a Windows NT PC, and exit quickly before letting the host file regain control.

On the 26th of any month, CIH will implement its dangerous payload. On Windows 9x machines, it will first attempt to overwrite the flash-BIOS firmware code. If successful, this will cause the PC to be unable to boot. In the past, all BIOS firmware code used to be written to the BIOS chip using a special EPROM chip device. Today, most BIOS firmware can be written and upgraded using a DOS-executed program or bootable floppy distributed by the BIOS chip maker or PC vendor. In theory the solution to corrupted firmware is easy. Rewrite the BIOS firmware code and deal with the virus’s second payload routine.

If you are lucky, you can download a new firmware installer from the PC vendor or BIOS manufacturer and write a new image. Unfortunately, many times, the motherboard manufacturer and BIOS chip maker will point fingers at each other and you will be unable to get the firmware software. If that is the case, you need replacement BIOS chips or a new motherboard. Assuming your BIOS chips are able to be removed, you have to research and find out what BIOS chips the motherboard will take. BIOS chips can easily cost $70-$90. With new motherboards starting around $100, most people end up buying a new motherboard. Hence, CIH has the distinction of being the first virus to cause hardware replacement. Although it didn’t really damage hardware physically, its consequences were the same.


If the PC is unbootable due to the BIOS damage, either the firmware diskette must be bootable or you will have to boot the PC with a DOS floppy to run the BIOS firmware update program.

Regardless of whether the CIH virus was not able to successfully overwrite the BIOS code (which is often), it then overwrites the first 1 MB of all hard drives in the system. Since it overwrites the partition table, boot sector, root directory, and FAT tables, this effectively destroys all data unless you have a data recovery tool especially written to recover from CIH damage. Steve Gibson, author of the famous SpinRite disk recovery software, wrote a program called FIX-CIH utility (you can download it from http://www.grc.com). It can often recover all data from a CIH-damaged hard drive. The partition table and boot sector can easily be reconstructed by looking at hard drive parameters and operating system types. The FAT table’s erasure wasn’t as permanently destructive as the virus’s author had hoped, as today’s large hard drives most often push the backup copy of the FAT past the first megabyte of damage. Steve’s program finds the backup copy of the FAT and restores it.

The Taiwanese virus writer, Chen Ing-Hau, was caught, and in our mixed-up world, became a mini-celebrity. Serving in Taiwan’s army at the time of his arrest, he eventually received an official reprimand and never earned a fine or jail time. Recently, after businesses suffered another year of damages due to CIH, Chinese courts are refiling charges and he may yet spend time in jail.


The Kriz virus infects PE files and attempts to implement a CIH-like payload on December 25, namely damaging the BIOS. Because it uses the Win32 subsystem, and not NT’s native APIs, it can only be successful on 9x platforms. When first run, it copies itself to a file called KRIZED.TT6 and then modifies or creates a WININIT.INI file so that this file gets copied over KERNEL32.DLL on the next reboot. Once active, it infects various other Windows executables when certain Windows API calls are made. Whether or not it is successful in corrupting the BIOS, it will begin overwriting files on all mapped drives, floppy drives, and RAM disks. Only the better antivirus programs can repair infected PE files.


Babylonia is worth mentioning because of its unique features and the sheer number of them. Originally posted to an Internet group on Dec.3, 1999 as a Windows Help file called SERIALZ.HLP , it was supposed to be a list of valid serial numbers that could be used to install illegally copied software. Instead, it was a virus that uses the Windows Help file structure to spread. It will try to infect any .HLP or .EXE files accessed on the system by hooking the file system. Infected .HLP files activate the virus when clicked on or opened through Window’s traditional help file processes. The virus modifies the entry point of .HLP files to point to a new script routine. This routine hands control over to the regular virus code (binary) that is placed at the end of the same .HLP file. The virus gets control, hooks the file system, and creates a file called BABYLONIA.EXE and executes it. The virus then copies itself as KERNEL32.EXE to the Windows system directory and registers the virus file to run at every Windows startup. KERNEL32.EXE is registered as a service and cannot be seen in the task list.

When on the Internet, the virus will attempt to connect to the virus writer’s website in Japan and update the virus. The virus writer has created at least four other virus modules that the original virus downloads and executes. Using this method, the virus writer could continually update and add functionality to the virus. The AUTOEXEC.BAT file is modified and the following text added, "Win95/Babylonia by Vecna (c) 1999”. The virus downloads and runs a file called IRCWORM.DAT , which, if the user is an IRC user, will then try to upload infected copies of itself to active chat channels. A module called VIRUS.TXT sends email messages to the virus author notifying him of each new infection. Lastly, the virus modifies the WSOCK32.DLL file to allow it send a copy of itself as an attachment every time the user sends an email message. All of this, and more, in 11KB of code.


Purportedly written by the same author as the Babylonia, Fono is a memory-resident virus. Originally meant to be multipartite, it has bugs in its floppy to hard drive routines. If executed on a hard drive it will install itself as a virtual device driver (FONO98.VXD ), hook the file opening processes, and then write itself to the end of any PE file executed. The virus hooks interrupt 13h and successful writes to the boot sector of floppy disks. The virus disables logging to the BOOTLOG.TXT file, and then deletes the Windows floppy drive device driver (HSFLOP.PDR). The boot virus routine will load the main, larger body of the virus from its nonboot disk location, and then attempt to load the virus VxD as usual.

The virus creates .COM virus droppers and inserts them into archive file types (e.g., PKZIP, LHA, PAK, LZH, ARJ , etc.). The virus writes itself to EXE and SCR (screensaver) files. The virus also looks for Messaging Internet Relay Chat (MIRC) users (covered in Chapter 7), and attempts to use MIRC to spread itself to active channels. It creates a Trojan, which will randomly change the user’s BIOS password or attempt to erase the BIOS’s firmware. On top of everything else, the virus is polymorphic. Clearly, the author of these two viruses is an overachiever and one of the top virus writers today. It is not something to be proud of.


A Czech virus writer, called Prizzy, has been one of the few to push the limits of Windows virus writing. His Win95.Prizzy virus was the first to use coprocessor instructions. Coprocessor chips were used in early computers to offload complex mathematical calculations from the main processor. Most CPUs since the 486-chip have the coprocessor built-in. Intel’s Pentium chips introduced another coprocessor chip, the multimedia extension (MMX) to speed up complex graphics. Polymorphic viruses found using coprocessing instructions in their calculations resulted in harder to detect viruses. While Win95.Prizzy was a very buggy virus, even unable to run on its own native Czech version of Windows 95, a new approach had been developed. Soon several working coprocessing viruses arrived, including Win32.Thorin and Win32.Legacy . Many antivirus scanners did not look for or know how to handle coprocessing instructions and their engines had to be upgraded.


Crypto is a very devious, Prizzy-created virus spread as a Trojan horse program called NOTEPAD.EXE or PBRUSH.EXE (a trick used with Win95.Prizzy). Using Microsoft’s own Crypto APIs, the virus encrypts accessed .DLL files and decrypts them again when needed. The encryption key is stored in the registry at HKLM\Software\Cryptography\UserKeys\Prizzy/29A. If the virus is not in memory, the very strongly encrypted files will not be decrypted and Windows will fail. There are a few other viruses, including the One-Half DOS virus, that use a similar damage/protection routine. They make it difficult to remove the virus because doing so causes even more damage.

When executed for the first time, Crypto attaches itself to KERNEL32.DLL , loads itself from within the WIN.INI file. At boot up, it will attempt to infect 20 executables. By attaching to KERNEL32.DLL, Crypto can monitor files accessed for any reason and choose what to encrypt and decrypt. Crypto even adds itself into preexisting file archives (such as, PKZIP and ARJ). It contains anti-antivirus routines, and will look for and delete many common antivirus files. Fortunately, the Crypto virus is very buggy and crashes in most environments. Other data encrypting viruses, which do not, are likely to follow.


Infecting Windows 9x and NT machines, Bolzano, infects PE applications with .EXE or .SCR extensions. When it executes, it runs its own thread in the background while running the host program as a foreground task that produces no noticeable delay. On an NT machine, its most serious consequence is that it patches NTOSKRNL.EXE and NTLDR in such a way that all users have all rights to all files and folders. In order for the modification to take effect, an administrative user must log on to the machine, but after that everyone has full rights. The idea that a single malicious mobile code infection could easily invalidate all security permissions should scare NT administrators. Win32.FunLove copied Bolzano’s techniques, but it also infects .OCX files and will actively seek to infect other computers over the network.


Win2K.Stream is a demonstration new-age companion virus that uses the file stream feature of NTFS partitions. When it infects a host executable, it copies the original host program to a secondary file stream and replaces the original with itself. It creates a temporary file during its execution, copying the host code out of the file stream to execute. If an infected file is copied to floppy disk, which cannot be formatted with NTFS, only the virus will be copied. If a file is copied from one NTFS partition to another, even over a network, the virus and host will be transmitted. If the virus is executed on a non-NTFS partition or if the host in the secondary stream is missing, the virus will display a message revealing itself in a message box.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required