Windows viruses are as varying as their DOS predecessors, although because of the challenges of programming in a Windows environment, there are less of them currently. Windows environments afford virus writers who are willing to learn 32-bit programming a plethora of new ways to be malicious. Often, Windows viruses are part virus and part Trojan. Here are a few examples.
Discovered on December 17, 1998, Remote Explorer was the first virus to load itself as a Windows NT service and the first to steal an administrator’s security rights to spread. Believed to have been released by a disgruntled employee, the Remote Explorer attacked MCI WorldCom’s global network. The virus is written in Microsoft Visual C++ and is quite large for a virus at 125KB and 50,000+ lines of code. Some experts estimated that it took a knowledgeable individual(s) over 200 hours to write.
When an infected executable is started on an NT machine and the
current user has Administrator privileges, the virus installs itself
\WinNT\SYSTEM32\DRIVERS folder as
and runs itself as a NT system service. Running as a service, the
virus gets loaded each time NT loads. Once installed, the
EXE portion of the virus releases control
(behaving more as a Trojan dropper). The registry will have a new
HKLM\System\CurrentControlSet\Services\Remote Explorer, added to
reflect the new service. If the current user is not an Administrator
member, the service install will not work, but the virus will still
be loaded into memory.
It will check the security privileges of the logged-on user every 10
minutes while waiting for a Domain Administrator. When an
administrator does log on, it then uses the administrator’s
security credentials to install itself as a service, and steals the
new credentials to infect other trusted networks. The virus uses an
impressive routine to steal the Domain Administrator’s security
clearance: it opens another process (using the
OpenProcessToken Windows API), usually
duplicates the security token assigned to that process, and then uses
the stolen token to run a copy of itself under the
administrator’s credentials using the
The virus is visible as
IE403R.SYS in the Task
Manager’s process list and in Control Panel Services as Remote
Explorer. The infection routine is set to run in low-priority mode
during peak business hours. Authorities think this was so the virus
would be less noticeable. The infection routine randomly scans local
and shared drives and infects EXE files, but intentionally skips the
\WinNT\SYSTEM, \TEMP, and
Files folders. The virus stores the host file’s code
at the end of itself. When the infected file gets run, it copies the
original file out to a
.TMP file to allow it to
be executed after the virus runs. Although it is a PE infector, the
virus fails to verify executable type, and will corrupt non-PE EXE
files. It will not infect or corrupt files with
extensions. Non-NT machines can host
infected files, but are not subject to further virus infection. The
virus compresses, and indirectly corrupts certain files, including
.TXT files. If it
can’t infect a file that it finds, it encrypts and corrupts it.
The infection process uses a file, called
to do its dirty work. If deleted, the virus will recreate the file.
Remote Explorer contains a hiding and cleaning routine designed to
cover up its tracks. It looks for windows with the
TASKMGR.SYS -- Application
Error” and "Dr. Watson for Windows NT” titles
and closes them. It also deletes the Dr. Watson log file
DRWTSN32.LOG). This routine attempts to hide
error messages resulting from its activities. All and all, Remote
Explorer is a sophisticated virus. We are lucky that MCI WorldCom
responded quickly enough so that the virus did not spread much beyond
its own networks. Remote Explorer was not designed to spread over the
Like a lot of malicious code firsts, Remote Explorer was also full of
bugs and wasted code. Of the 50,000 lines of code, only a few
thousand were the actual virus. The rest was unused C++ code
libraries. And it was unable to check the process list without using
PSAPI.DLL, which is not part of the standard NT
However, since then, there have been
many viruses and Trojans that improve on the tricks learned from
Remote Explorer. RemoteExplorer could only infect files the user had
permission to modify (working in
WinNT.Infis is a memory-resident virus
that arrived 10 months later in the form of an infected executable.
It loads itself as a
This means it gets loaded every time Windows is started and has
higher than normal file security permissions. Using this new method
of infection, it can access files even if the logged-on user
doesn’t have rights to manipulate the code. Other executable
files are infected when opened. Using several undocumented NT/2000
API’s, Infis bypasses the Win32 subsystem to work
under Windows NT 4.0 and Windows 2000 exclusively. What is important
about Infis is that it accesses NT’s kernel mode, and thus has
direct access to ports and hardware outside of Windows NT’s
control. Luckily, written as a proof-of-concept virus, it has no
damage payload. It could, if it wanted to, format the hard drive,
delete files, or interact with the computer hardware.
Written by a Taiwanese college student as a protest against antivirus companies, CIH (named after the virus author’s initials) was the first virus that could cause computer damage so bad that it often required hardware replacement. Millions of PCs have been hit by it. South Korea alone had 240,000 PCs hit in one month. It infects PE files and places itself in unused file areas within the host. Since the virus infects PE files, it can be present on Windows NT machines, but since it uses pure Windows 95 calls, it will refuse to run. CIH will detect that it is located on a Windows NT PC, and exit quickly before letting the host file regain control.
On the 26th of any month, CIH will implement its dangerous payload. On Windows 9x machines, it will first attempt to overwrite the flash-BIOS firmware code. If successful, this will cause the PC to be unable to boot. In the past, all BIOS firmware code used to be written to the BIOS chip using a special EPROM chip device. Today, most BIOS firmware can be written and upgraded using a DOS-executed program or bootable floppy distributed by the BIOS chip maker or PC vendor. In theory the solution to corrupted firmware is easy. Rewrite the BIOS firmware code and deal with the virus’s second payload routine.
If you are lucky, you can download a new firmware installer from the PC vendor or BIOS manufacturer and write a new image. Unfortunately, many times, the motherboard manufacturer and BIOS chip maker will point fingers at each other and you will be unable to get the firmware software. If that is the case, you need replacement BIOS chips or a new motherboard. Assuming your BIOS chips are able to be removed, you have to research and find out what BIOS chips the motherboard will take. BIOS chips can easily cost $70-$90. With new motherboards starting around $100, most people end up buying a new motherboard. Hence, CIH has the distinction of being the first virus to cause hardware replacement. Although it didn’t really damage hardware physically, its consequences were the same.
If the PC is unbootable due to the BIOS damage, either the firmware diskette must be bootable or you will have to boot the PC with a DOS floppy to run the BIOS firmware update program.
Regardless of whether the CIH virus was not able to successfully
overwrite the BIOS code (which is often), it then overwrites the
first 1 MB of all hard drives in the system. Since it overwrites the
partition table, boot sector, root directory, and FAT tables, this
effectively destroys all data unless you have a data recovery tool
especially written to recover from CIH damage. Steve
of the famous
disk recovery software, wrote
a program called
utility (you can download it from
http://www.grc.com). It can often
recover all data from a CIH-damaged hard drive. The partition table
and boot sector can easily be reconstructed by looking at hard drive
parameters and operating system types. The FAT table’s erasure
wasn’t as permanently destructive as the virus’s author
had hoped, as today’s large hard drives most often push the
backup copy of the FAT past the first megabyte of damage.
Steve’s program finds the backup copy of the FAT and restores
The Taiwanese virus writer, Chen Ing-Hau, was caught, and in our mixed-up world, became a mini-celebrity. Serving in Taiwan’s army at the time of his arrest, he eventually received an official reprimand and never earned a fine or jail time. Recently, after businesses suffered another year of damages due to CIH, Chinese courts are refiling charges and he may yet spend time in jail.
Kriz virus infects PE files and attempts
to implement a CIH-like payload on December 25, namely damaging the
BIOS. Because it uses the Win32 subsystem, and not NT’s native
APIs, it can only be successful on 9x platforms. When first run, it
copies itself to a file called
and then modifies or creates a
file so that this file gets copied over
on the next reboot. Once active, it infects various other Windows
executables when certain Windows API calls are made. Whether or not
it is successful in corrupting the BIOS, it will begin overwriting
files on all mapped drives, floppy drives, and RAM disks. Only the
better antivirus programs can repair infected PE files.
worth mentioning because of its unique
features and the sheer number of them. Originally posted to an
Internet group on Dec.3, 1999 as a Windows Help file called
it was supposed to be a list of valid serial numbers that could be
used to install illegally copied software. Instead, it was a virus
that uses the Windows Help file structure to spread. It will try to
accessed on the system by hooking the file system. Infected
.HLP files activate the virus when clicked on or
opened through Window’s traditional help file processes. The
virus modifies the entry point of
.HLP files to
point to a new script routine. This routine hands control over to the
regular virus code (binary) that is placed at the end of the same
.HLP file. The virus gets control, hooks the
file system, and creates a file called
BABYLONIA.EXE and executes it. The virus then
copies itself as
KERNEL32.EXE to the Windows
system directory and registers the virus file to run at every Windows
KERNEL32.EXE is registered as a service
and cannot be seen in the task list.
When on the Internet, the virus will attempt to connect to the virus
writer’s website in Japan and update the virus. The virus
writer has created at least four other virus modules that the
original virus downloads and executes. Using this method, the virus
writer could continually update and add functionality to the virus.
AUTOEXEC.BAT file is modified and the
following text added,
Vecna (c) 1999”. The virus downloads and runs a file called
which, if the user is an IRC user, will then try to upload infected
copies of itself to active chat channels. A module called
sends email messages to the virus author notifying him of each new
infection. Lastly, the virus modifies the
file to allow it send a copy of itself as an attachment every time
the user sends an email message. All of this, and more, in 11KB of
Purportedly written by the same author
as the Babylonia,
Fono is a memory-resident virus.
Originally meant to be multipartite, it has bugs in its floppy to
hard drive routines. If executed on a hard drive it will install
itself as a virtual device driver
hook the file opening processes, and then write itself to the end of
any PE file executed. The virus hooks interrupt 13h and successful
writes to the boot sector of floppy disks. The virus disables logging
file, and then deletes the Windows floppy drive device driver
HSFLOP.PDR). The boot virus routine will load
the main, larger body of the virus from its nonboot disk location,
and then attempt to load the virus VxD as usual.
The virus creates
.COM virus droppers and
inserts them into archive file types (e.g.,
PKZIP, LHA, PAK, LZH,
, etc.). The virus writes itself to
files. The virus also looks for
Messaging Internet Relay Chat (MIRC) users
(covered in Chapter 7), and attempts to use MIRC to
spread itself to active channels. It creates a Trojan, which will
randomly change the user’s BIOS password or attempt to erase
the BIOS’s firmware. On top of everything else, the virus is
polymorphic. Clearly, the author of these two viruses is an
overachiever and one of the top virus writers today. It is not
something to be proud of.
A Czech virus writer, called Prizzy, has
been one of the few to push the limits of Windows virus writing. His
virus was the first to use coprocessor
instructions. Coprocessor chips were used in early computers to
offload complex mathematical calculations from the main processor.
Most CPUs since the 486-chip have the coprocessor built-in.
Intel’s Pentium chips introduced another coprocessor chip, the
(MMX) to speed up complex graphics.
Polymorphic viruses found using coprocessing instructions in their
calculations resulted in harder to detect viruses. While Win95.Prizzy
was a very buggy virus, even unable to run on its own native Czech
version of Windows 95, a new approach had been developed. Soon
several working coprocessing viruses arrived, including
Many antivirus scanners did not look for or know how to handle
coprocessing instructions and their engines had to be upgraded.
a very devious, Prizzy-created virus
spread as a Trojan horse program called
(a trick used with Win95.Prizzy). Using Microsoft’s own
Crypto APIs, the virus encrypts accessed
.DLL files and decrypts them again when needed.
The encryption key is stored in the registry at
HKLM\Software\Cryptography\UserKeys\Prizzy/29A. If the virus is not
in memory, the very strongly encrypted files will not be decrypted
and Windows will fail. There are a few other viruses, including the
DOS virus, that use a similar damage/protection routine. They make it
difficult to remove the virus because doing so causes even more
When executed for the first time, Crypto attaches itself to
loads itself from within the
file. At boot up, it will attempt to infect 20 executables. By
KERNEL32.DLL, Crypto can monitor
files accessed for any reason and choose what to encrypt and decrypt.
Crypto even adds itself into preexisting file archives (such as,
ARJ). It contains
anti-antivirus routines, and will look for and delete many common
antivirus files. Fortunately, the Crypto virus is very buggy and
crashes in most environments. Other data encrypting viruses, which do
not, are likely to follow.
Infecting Windows 9x and NT machines,
Bolzano, infects PE applications with .EXE or .SCR extensions. When
it executes, it runs its own thread in the background while running
the host program as a foreground task that produces no noticeable
delay. On an NT machine, its most serious consequence is that it
such a way that all users have all rights to all files and folders.
In order for the modification to take effect, an administrative user
must log on to the machine, but after that everyone has full rights.
The idea that a single malicious mobile code infection could easily
invalidate all security permissions should scare NT administrators.
copied Bolzano’s techniques, but it also infects
files and will actively seek to infect
other computers over the network.
Win2K.Stream is a demonstration new-age companion virus that uses the file stream feature of NTFS partitions. When it infects a host executable, it copies the original host program to a secondary file stream and replaces the original with itself. It creates a temporary file during its execution, copying the host code out of the file stream to execute. If an infected file is copied to floppy disk, which cannot be formatted with NTFS, only the virus will be copied. If a file is copied from one NTFS partition to another, even over a network, the virus and host will be transmitted. If the virus is executed on a non-NTFS partition or if the host in the secondary stream is missing, the virus will display a message revealing itself in a message box.