2.7 Detecting a DOS-Based Computer Virus

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes
	Table of Contents
	Chapter 2.  DOS Computer Viruses

If you suspect you have a DOS-based computer virus, but you are not 100 percent sure, try the following steps.

1. Scan with a good antivirus program after cold booting with a write-protected, clean boot diskette.

There is no better way to detect and remove DOS viruses than running a good antivirus program. Use a reliable antivirus scanner with an up-to-date signature database. When you scan for DOS computer viruses, always cold boot the PC from a known clean, write-protected, bootable diskette. This makes sure that no computer virus is in memory when you scan. If a virus is in memory when you search, it can use various subroutine tricks to hide from antivirus programs or cause more damage.

Virus scanners are getting better and better all the time at detecting viruses that are in memory at scan time, but you'll get best results after cold booting with a clean diskette. I find that my scanning success and removal rate, after a cold boot, is even higher with viruses that aren't employing stealth defense mechanisms. Less code in memory lets the scanner do its job more efficiently .

When rebooting, make sure you turn the power off instead of pressing Ctrl-Alt-Delto warm boot. There are dozens of viruses, like Fish , Ugly , Joshi , and Aircop , which have no problem "living" through a warm boot, and thriving in memory when the PC restarts. These types of viruses monitor the keyboard input buffer or check the "warm-boot flag" in the BIOS data area waiting for the Ctrl-Alt-Del key sequence. They can then fake the normal reboot process and remain in control. The Ugly virus family tries to manipulate CMOS memory into thinking there is no floppy disk drive. Thus, when the PC reboots, it boots to the hard drive first, runs the infected virus code, and then the virus reenables the floppy disk drive and runs the floppy-based boot process. The PC appears as if it has booted up on the floppy diskette, but the virus is already in memory. Sneaky buggers, aren't they?

Make sure you are using an up-to-date signature database. Viruses now spread around the globe overnight. It only took three days for the Melissa virus to infect 100,000 computers. Antivirus companies used to have monthly updates that they mailed paying customers. Now, newly discovered viruses are added to the virus database within hours and it can be downloaded across the Internet with the click of a button.

If MMC corrupts the BIOS, it may be impossible to boot with a floppy diskette or from the hard drive. In those cases, you need to resolve the BIOS (covered in Chapter 4) problem first.

2. Look for recent program file date changes.

While many viruses go out of their way to make sure the infected file's date and timestamp doesn't change (and it's trivial to do so), many don't. If you boot with a clean, write-protected floppy diskette and see lots of program files with new date stamps, a virus could be lurking. I always check COMMAND.COM first. Every file that comes with DOS has a particular creation date and time that should never change. In most of the versions, the timestamp reflects the version of DOS. Seeing a date of yesterday on COMMAND.COM should send up warning signs. Unfortunately, DOS only displays the last two digits of the year. Several viruses, like Natas , add a hundred years to the file creation date, which will be visible to their own assembly language inquiries checking for previous infection, but not to DOS. A file's creation date my change from December 3, 1997 to December 3, 2097, but DOS will report 12-3-97 when performing a simple DIR .

3. Suspect viruses if the number of bad sectors or crosslinked files grows on your disk.

Viruses frequently cause bad sectors or crosslinked files (as reported by CHKDSK.EXE or SCANDISK.EXE ) to suddenly and rapidly appear. There are a lot of other reasons why your hard disk may suddenly get disk or file corruption problems; but it can't hurt to run a quick virus scan to rule out malicious code. If the scan turns up clean, it is probably a hardware problem or operating system crash. If you suspect a computer virus, be careful of running SCANDISK.EXE or CHKDSK.EXE /F to clean up disk problems. Doing so can sometimes cause more problems than it solves , depending on the virus. Always try to let a professional antivirus program remove the virus first.

4. Be aware of inappropriate diskette accesses .

If you notice that your PC is frequently checking the floppy disk drive when it shouldn't, this might be a sign of computer virus infection. Unfortunately, programs of all types are always checking the floppy diskette for legitimate reasons, so that it is tough to figure out what is inappropriate. For example, if you save a file from MS Word to a floppy diskette, MS Word will keep looking for the file to be on your floppy disk as long as the file remains in Word's Recently Used File List. What many people have told me that they've noticed with a virus is that the floppy drive light comes on a little longer than usual when accessing the floppy disk (i.e., the virus is being written). A virus might only cause the disk access to be an extra second or two longer, but some keen observers will notice the increase.

5. Be aware of strange symptoms.

I hesitate to mention this computer virus symptom because every PC I've ever used does strange things; and everyone who learns about viruses can't help but suspect every weird computer glitch to be a computer virus. Probably 95 out of a 100 "weird symptoms" reported to me as possible infection are not caused by computer viruses. It is a software configuration problem, a hardware bug, or some other peculiarity. I often say, "Windows has killed more data than viruses ever will." The strange symptoms I'm mentioning are distinctly malicious: funny text messages printing out on the printer, displayed cuss words, strange repeating graphics on the screen, music or noise emanating from the speaker, repeating messages printing out on the printer, PC unable to boot, program file date stamp changes, etc. If strange symptoms start occurring, I'll use them as a starting place. I use one of the other steps to confirm an infection.

6. Check for a sudden decrease in total conventional memory.

Both CHKDSK.EXE and MEM.EXE programs list Total Conventional Memory in DOS. Total Conventional Memory should report 640KB or 655,360 bytes. Many computer viruses allocate a few kilobytes of conventional memory and this lowers the amount of reported conventional memory to 638KB or some lower amount. Of course, many stealth viruses cover up their memory appropriation so that when you run a memory-checking utility, DOS reports a misinterpreted figure. I've also seen some ROM BIOSs that " borrow " a few kilobytes from memory, so not getting 640KB is not an absolute sign of infection.

7. Check the boot sector or program file code.

If you are used to looking at boot sectors, you can cold boot from a clean floppy diskette and view the hard disk boot sector with a disk editor or using DEBUG.EXE (if appropriately trained). The lack of normal DOS error messages or an addition of other inappropriate text is an obvious sign of infection. If you edit a program file and see taunting messages, it's pretty clear that some form of malicious code is present. Figure 2-13 shows a Carzy -infected COMMAND.COM file I found using the DOS EDIT command. Note the ample advertising by the virus writer. In my experience, about two- thirds of malicious code contains text messages that point to rogue intentions.

Figure 2-13. Carzy-infected COMMAND.COM