4.1 DOS Viruses on Windows Platforms

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes
	Table of Contents
	Chapter 4.  Viruses in a Windows World

In a PC world where Windows is king, there is still a significant population of functioning DOS viruses. They do not understand how to manipulate Windows executables and the newer file storage types, so their overall ability to spread on a Windows system is decreased in most cases. Still, some do work, and the ones that don't, can still cause bootup and runtime errors. Under a DOS Virtual Machine (DVM) session, DOS is emulated well enough to allow most DOS viruses lots of opportunity to do damage.

4.1.1 Overall Effects on All Windows Platforms

This section will summarize the overall effects DOS viruses have on Windows, followed by specifics for each platform.

4.1.1.1 Boot virus infections

After the POST routine of a PC is finished, the first boot drive is checked, and the Master Boot Record (MBR) is located. The MBR then tells the PC where to locate the primary boot sector of the default operating system. This process is identical for every PC regardless of the operating system. Thus, a boot virus located on a booted floppy will be able to successfully infect the boot area of all hard drives . When an infected PC boots, the infected boot sector is given control. During this stage of the booting process, the virus can execute its payload damage regardless of the operating system. In many cases, boot viruses check for particular dates or events to initiate damage routines or display messages. These damage routines are usually accomplished using ROM BIOS interrupts (e.g., 13h) and they will be successful.

If the newly infecting boot virus declines to initiate a payload routine during the first stage of the bootup, usually its next priority is to locate the default boot sector and replace it with viral code. Most boot viruses will be successful here, too. Next , a boot virus must turn over control to the original boot sector, start the default operating system, and place itself in memory (so it can infect accessed diskettes). Depending on the boot virus mechanism and the operating system, it may or may not be successful. The virus might not understand how to correctly infect the new type of boot sector, or it won't understand the new file subsystem, or the operating system in control may prevent its future actions. In any case, the boot virus may not be successful in its later attempts. And if it isn't, the boot virus will not spread far. However, its misguided attempts can easily disable a PC from booting properly and cause data loss.

4.1.1.2 File infections

DOS programs infected in Windows by a DOS virus usually exhibit the same signs and symptoms as if they were infected without Windows (i.e. file growth, missing free memory, program sluggishness, etc.). DOS viruses infecting Windows programs is a different story. Because DOS viruses do not know how to correctly infect Windows platforms, the most common sign of infection is program corruption. Infected program files error out and are unable to execute. If a DOS virus corrupts a key operating system file, Windows either will not load, or it will load with boot errors, or in a diminished state.

4.1.2 Windows 3.x/DOS Virus Interaction

Both boot and DOS file viruses can cause problems to the Windows 3.x platform.

4.1.2.1 DOS boot viruses and Windows 3.x

Because Windows 3.x has a DOS boot sector underneath, boot viruses can easily infect and replicate. With versions 3.1x and above, an error message indicating that 32-bit disk support has been disabled might be presented, but that is about all you will notice. Boot viruses can infect the boot sectors of accessed floppy diskettes without causing noticeable disruption. Multipartite viruses, which can infect executables and boot sectors, will have little problem spreading as a boot virus, but will probably encounter problems when infecting executables.

4.1.2.2 DOS file infectors under Windows 3.x

Windows 3.x is started with DOS firmly in control. Viruses infecting DOS programs can infect files started in a DVM without many problems. File-overwriting viruses will be able to spread under Windows 3.x as they normally would in DOS. Overwriting viruses always destroy the victim's executable, and hence, understanding the new NE file format is not a prerequisite. DOS parasitic viruses will usually fail to properly infect Windows executables, instead causing immediate file corruption and subsequent error messages. There are a few DOS viruses, for example the Termite virus, which, either through luck or a brief understanding of Windows file structures, will be able to successfully use Windows executables as hosts .

Many viruses are known as prependers . They can be written in a variety of languages and infect many types of hosts because they attach themselves at the beginning of a mostly unmodified host file. As long as the prepending virus can execute, it will run, and then (hopefully) execute the underlying saved host file. Using this method, many DOS prepending viruses will be able to successfully function under different Windows platforms.

4.1.3 Windows 9x/DOS Virus Interactions

By the time Windows 95 came around, Microsoft was starting to build in limited antivirus features, but not enough to stop the spread of DOS viruses.

4.1.3.1 Windows 9x antivirus features

Although Windows 9x does not have a built-in antivirus scanner, it does include several features that can thwart DOS computer viruses. First, it blocks malicious programs trying to directly access the hard drive using interrupts 25h or 26h (absolute disk read/write). If a program attempts to use those interrupts, Windows 9x will attempt to intercept the call, lock the system, and display the following message: "Windows has disabled direct disk access to protect your long file- names ...The system has been halted. Press CTRL+ALT+DELETE to restart your computer." Not elegant, and it doesn't always work, but it prevents a lot of viruses from spreading.

Second, Windows 9x monitors interrupt 13h (disk services) and maintains a list of programs that are currently hooking it. With each reboot, Windows 9x compares the list of programs currently hooking interrupt 13h with the previously recorded list. If Windows 9x notes any differences, it then compares it to a list of known safe programs and device drivers that hook interrupt 13h. The safe list is maintained in a file called IOS.INI located in the Windows directory. If the new program is not on the safe list, Windows generates the following warning message: "WARNING: Your computer may have a virus. The Master Boot Record on your computer has been modified. Would you like more information?" If you click Yes, the System Performance tab is shown for further details. You can then view the IOS.LOG file for more details. It's important to note that the warning message only appears on the first reboot after the initial infection. If ignored and the PC is booted again, the virus could be successful and the warning message will not be shown again.

The MBR modification warning message will be shown if the culprit is a pure boot infector, like the Form virus. However, tests have shown that a few MBR viruses can infect Windows 9x without setting off the alert, including Michelangelo and Telefonica.

As noted previously, if Windows 9x has been forced into MS-DOS Compatibility mode, then the I/O Supervisor (IOS ) writes an IOS.LOG file that can be read to locate the file-hooking interrupt 13h or force Windows out of 32-bit file system mode. These Window 9x features are good for users and bad for DOS virus writers.

4.1.3.2 Boot viruses and Windows 9x

Boot viruses are able to infect and spread in Windows 9x environments, although again, bootup errors can occur. Windows 9x hard drive file systems are controlled by new interrupt calls and device drivers. Most DOS virus droppers will not be able to infect a hard drive while Windows 9x is running, although a few, like the multipartite virus Tequila can. However, removable disks (i.e. floppy diskettes) are a little better protected. The 32-bit Windows driver, HSFLOP.PDR , does not let most viruses write to the boot sector of floppy diskettes. Some viruses will delete the driver in order to force 9x machines to use 16-bit disk drivers and be able to replicate under Windows.

4.1.3.3 DOS file infectors under Windows 9x

Like, Windows 3.x, every DOS program or DVM window contains a copy of the real-mode devices loaded from the CONFIG.SYS and the AUTOEXEC.BAT . If a virus has infected a program initialized in real-mode startup session, the virus will automatically be in control of each DVM started, and subsequently, any DOS programs started. Since Windows 9x has no file-level security, viruses are free to roam the file system and infect other hosts. If a user starts an infected program in one DOS window, the virus can infect COMMAND.COM or some other common file in memory and automatically infect files started in another DOS window. DOS viruses infecting the new NE or PE executable types will usually result in file corruption.

4.1.4 Windows NT/DOS Virus Interaction

Windows NT does a great job of preventing the spread of boot viruses, and can limit the damage file infectors cause.

4.1.4.1 Boot viruses under NT

Since NT is not in control of the PC until the second half of the boot process, boot viruses can readily infect an NT PC. An infected diskette that is accidentally booted will be able to infect the boot sector or MBR of any hard drives using its normal methods . And any payload damage the virus has that runs before NT has control can cause harm. Because of this, boot viruses can and do cause damage to NT systems.

Two questions remain . First, will Windows NT boot its normal way without you noticing the boot virus infection? Second, if Windows NT does boot without error can boot infectors infect accessed floppy diskettes to spread even further? If Windows NT boots with an infected FAT partition and the virus doesn't modify the partition table, chances are the boot will be successful without Windows NT noticing any changes. The virus will be activated upon reboot, and eventually start the original FAT boot record of Windows NT. However, once Windows NT has loaded and removed real-mode drive access, boot viruses will be unable to spread further (and are unable to cause more damage during the current session). Even stealth routines, which in DOS would hide the virus, are nullified.

Boot viruses usually place the original sectors somewhere else on the disk. Many do not protect that sector and if something overwrites it, Windows NT will not be able to boot.

Viruses that implement an encrypting or stealth routine during the initial stages of the boot, and again later after NT is booted, will have their latter actions stopped . And this isn't always good. For instance, the Monkey MBR virus modifies the partition table to point to its own viral code, but uses stealth routines to point partition-table inspectors to the original table. After NT is in control, it queries the partition table to set up the logical disk volumes . The Monkey's stealth routines, which would have otherwise pointed NT to the original table, are blocked by NT. So, NT isn't able to find the original partition table and fails to boot properly. Other viruses, like One-Half, which use complex encryption or stealth routines, can cause more damage under NT, since NT prevents them from trying to hide their damage when the data is retrieved by the user.

NT with NTFS partitions will usually be unable to start after a boot virus infection. This is because NT with a NTFS boot partition will read the boot sector twice: once during bootup, and once just after NT gets control. NT will look to the boot sector a second time to recognize the logical disk volumes, fail to find the appropriate NT boot code, and crash. Surprisingly, some stealth boot viruses have a better chance, depending on their coding, to allow NT with NTFS to load without crashing. However, once NT is loaded all stealth routines are prevented, and the same rules for FAT partitions apply.

DOS Dropper viruses, which attempt to write to the boot sector or MBR from within a Trojan executable, will be prevented from working under NT.

4.1.4.2 DOS file infectors under NT

In a Virtual DOS Machine (VDM), DOS is thoroughly emulated and viruses can easily infect other DOS files accessed within the VDM (limited only by NTFS security). File infectors will be able to infect any DOS file executed with the VDM and search the hard drive for more victims. A file virus could infect COMMAND.COM , which is kept in NT for backward compatibility, and thus be available (and potentially active) in any future VDM opened. Viruses that attempt to call ROM BIOS interrupt routine services to trash the hard drive will be prevented from working.

Windows program files infected by a DOS virus will usually be corrupted and unable to start, thus limiting the spread of the virus. If any of these files are crucial to NT's booting or operational capacity, NT could be prevented from functioning. Luckily, Windows 2000 and ME have Windows File Protection (WFP) and System File Protection (SFP) and can implement self-repair.

Further, DOS file viruses are limited by the file access rights of the logged on user. A strictly protected Windows NT system with NTFS partitions prevents normal users from modifying executable and system files, and will prevent file viruses from causing any harm. However, floppy diskettes are always formatted with FAT, and DOS viruses can potentially infect files located there.

4.1.5 DOS Virus in Windows Summary

As you have read, the death of DOS viruses on Windows platforms has been greatly exaggerated. In fact, if it were not for the new file and partition formats (which aren't backward compatible), very little would have been done to prevent the DOS virus from spreading. Yes, each version of Windows has added more protection against computer viruses, but if not for the unintended side effect of normal obsolescence, this book might solely be about DOS viruses. The latest versions of Windows, with their self-repair mechanisms, have taken the first real steps toward a real virus protection solution.