4.3 Signs and Symptoms of Windows NT Virus Infections

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Table of Contents
Chapter 4.  Viruses in a Windows World

4.3 Signs and Symptoms of Windows NT Virus Infections

How a computer virus presents itself is dependent on the type of virus and the Windows platform infected. Typically, the older and more widespread the virus, the less likely it will be able to spread and cause harm. In this section, we will cover the signs and symptoms of computer virus infection in Windows.

4.3.1 Common Signs and Symptoms

Some signs of virus infection are:

  • The normal signs and symptoms of successful computer virus infection apply. Hacker-sounding taunts, such as "Gotcha" or "You're infected," should be a major clue. Randomly appearing graphics, sounds, file disappearance -- all of these should be taken as possible signs of virus infection.

  • Sudden, unexpected executable file growth and/or date changes. This is one of the quickest ways of spotting a computer virus, but you have to know what to look for. Windows will frequently update executables (i.e., EXEs, DLLs) as a normal part of business. The trick is to look for widespread executable updates at the same time as other suspicious symptoms started occurring.

  • Unexpected modification of startup areas (AUTOEXEC.BAT) registry, Startup group .

  • Sudden slowness with file execution might be a sign.

  • Sudden, unexpected long- term hard drive accessing after your program or data is loaded could be suspect.

4.3.2 Programs Won't Start

Windows 16-bit and 32-bit program files infected with a DOS virus will usually fail to run. DOS viruses infecting newer versions of COMMAND.COM may result in "Bad or missing command interpreter" messages and the system is halted. When an infected program is started, Windows immediately produces a fatal error message, or in some instances, Windows locks up or displays blue screens. An error message may state that an "Invalid Page Fault" occurred, a program attempted to write to an illegal memory location, or the file you are attempting to execute could not be located. The last error message is confusing because many times you are double-clicking on the same executable file Windows is saying it could not locate (don't be fooled by a misdirected shortcut). Be especially suspicious if Windows executables will not start, but DOS programs work fine; or vice versa. Another virus-created error message stating "This version of Windows does not run on DOS 7.0 or earlier" when you haven't installed new programs should clearly lead you to suspect a DOS virus.

4.3.3 Windows Cannot Use 32-bit Disk Support

With Windows 3.1, viruses frequently caused the following Windows warnings, "The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. There is an unrecognizable disk software installed on this computer" or "This application has tried to access the hard disk in a way that is incompatible with the Windows 32-bit disk access feature (WDCTRL). This may cause the system to become unstable." Inability to create a temporary or permanent swap file can be caused by a boot virus. Later versions of Windows 3.x produce error messages suggesting that computer viruses could be responsible when presenting these types of errors.

Windows 9x systems may boot without an error message, but reveal that the file or virtual memory system is in MS-DOS Compatibility mode . You can check this by choosing Start figs/u2192.gif Control Panel figs/u2192.gif System figs/u2192.gif Performance. On most systems you should see the file and virtual memory system in 32-bit mode. Systems running real-mode processes could be the result of Windows detecting a program that hooks the disk's write-interrupt routine. Although there can be several legitimate causes (i.e. third-party driver, antivirus program, etc.) for this type of symptom, computer viruses are a likely cause. If the driver name listed as causing MS-DOS Compatibility mode is MBRINT13.SYS , definitely suspect a boot virus. You can edit IOS.LOG to determine what file might be causing the conflict.

Some third-party disk drivers can also force MBRINT13.SYS to error out.

4.3.4 NT STOP Errors

If you've been around Windows NT any decent amount of time, you are probably already familiar with the infamous Blue Screen of Death (BSOD) errors. The blue screen refers to the color of the background displayed during Fatal System Stop Errors (Windows 2000 BSOD is actually black). They have been around since the days of Windows 3.0, and are present in Windows 9x, but are more common in Windows NT. When Windows encounters a serious error, it will immediately halt the system and display a debugging screen. If you are not used to BSODs, they can be a little intimidating -- lots of numbers and filenames. What is displayed on the screen is different for each platform. Windows NT gives the most information. Windows 2000 has dropped a lot of the information that was displayed in the NT version, but all versions give you the error message text and an error number, and are followed by the drivers and programs associated with the error. A good troubleshooter can use this information to identify the offending device driver or program, or use it to research Microsoft's Knowledge-Base articles for a remedy.

If a boot virus is successful in writing itself to an NTFS boot disk, NT will almost always show blue screen with a STOP error . In the case of boot viruses, STOP messages will most often begin with error codes 0x0000007A, 0x0000007B, or in the case of Windows 2000, 0x00000077. All of these STOP errors are the result of NT not being able to correctly read the boot drive or paging memory.

Sometimes the solution is worse than the problem. STOP 0x0000001E errors are commonly caused by misbehaving antivirus programs. Microsoft, and just about every Windows software developer, recommends that all antivirus programs not be active when installing new software. Failure to do so has resulted in many problems and corrupted software installations. At the very least, memory-scanning antivirus software will significantly slow down the software install process.

4.3.5 Installation Errors

Many computer viruses are discovered during the Windows installation process. When Windows 95 first came out, thousands of users complained to Microsoft that the Windows 95 Setup Disk 2 was infected with a virus. Users would start installing Windows, but when they came to Disk 2, Windows indicated the disk was bad. Many users did a virus scan and detected a boot virus on the new disks and incorrectly blamed the Redmond, Washington company. Microsoft wasn't distributing infected diskettes, the users' systems already contained a boot virus, which infected the new diskette while Windows was saving setup information. An "Invalid system disk" message can appear after the first reboot on an infected Windows 9x system, as Windows goes to load itself for the first time. A "Packed file corrupt" error message can occur during the initial install stages on an infected machine.

Boot viruses can cause Windows NT to state, "The hard disk containing the partition or free space you chose is not accessible to your computer's startup program." An infected Windows NT PC with a NTFS boot partition may say "A kernel file is missing from the disk. Insert a system disk and restart the system." A common sign you can see when installing Windows NT on an infected system is that NT begins to load, goes black, and then reboots, and continues repeating the cycle. Again, an infected boot sector can be suspected. Occasionally, Windows NT will be quite direct with some of its error messages, like "MBR checksum error: a virus may be present. Verify Master Boot Record integrity".

Microsoft programmers are getting better at detecting virus-like situations and the error messages they cause. Of course, the virus writers are fighting back. Some boot sector viruses, like Gold-Bug, will detect the Windows startup process, disinfect the boot sector on the fly, and then reinfect after Windows is through checking.

4.3.6 Swap File Problems

Windows is very careful about what hard disk areas it uses when creating permanent swap files during the initial install. If, while creating a new swap file, Windows detects an incorrectly modified disk or disk subsystem, it will refuse to create a swap file. In Windows 3.x, the message might be, "The partitioning scheme used on your hard drive prevents the creation of a permanent swap file." Viruses, trying to intercept the file-write interrupts, can cause swap file problems and error messages.

In summary, as we all know, Windows has enough problems and errors without a computer virus being involved, but an active PC with any of these symptoms should be checked for computer viruses. Suspect a nonvirus problem first, if you know the PC hasn't been exposed to any new programs, files, diskettes, new emails, or Internet accesses .


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net