Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
EAN: N/A
Year: 2005
Pages: 338
Pages: 338
It is always important to take precautions to protect your computer and the data on it from viruses. Many computer viruses exploit the disk structures that your computer uses to start up by replacing, redirecting, or corrupting the code and data that start the operating system.
For more information about the master boot record (MBR) and boot sector on x86-based computers, see Disk Sectors on MBR Disks later in this chapter.
MBR viruses exploit the master boot code within the master boot record (MBR) that runs automatically when an x86-based computer starts up. MBR viruses are activated when the BIOS activates the master boot code, before the operating system is loaded.
Many viruses replace the MBR sector with their own code and move the original MBR to another location on the disk. After the virus is activated, it stays in memory and passes the execution to the original MBR so that startup appears to function normally.
Some viruses do not relocate the original MBR, causing all volumes on the disk to become inaccessible. If the listing in the partition table for the active primary partition is destroyed, the computer cannot start. Other viruses relocate the MBR to the last sector of the disk or to an unused sector on the first track of the disk. If the virus does not protect the sector that contains the MBR, normal use of the computer might overwrite the MBR, and the system might not restart.
For more information about the master boot code, see Disk Sectors on MBR Disks later in this chapter.
As with the master boot code, the boot sector s executable code also runs automatically at startup, creating another vulnerable spot exploited by viruses. Boot sector viruses are activated before the operating system is loaded and run when the master boot code in the MBR identifies the active primary partition and activates the executable boot code for that volume.
Many viruses update the boot sector with their own code and move the original boot sector to another location on the disk. After the virus is activated, it stays in memory and passes the execution to the original boot sector so that startup appears normal.
Some viruses do not relocate the original boot sector, making the volume inaccessible. If the affected volume is the active primary partition, the system cannot start. Other viruses relocate the boot sector to the last sector of the disk or to an unused sector on the first track of the disk. If the virus does not protect the altered boot sector, normal use of the computer might overwrite it, rendering the volume inaccessible or preventing the system from restarting.
Two common ways that a computer can contract an MBR or boot sector virus are: by starting up from an infected floppy disk; or by running an infected program, which causes the virus to drop an altered MBR or boot sector onto the hard disk.
The malicious activity of an MBR or boot sector virus is typically contained after Windows XP Professional starts. If the virus payload (the malicious activity of the virus) does not run during system startup and if the virus does not alter the original MBR or boot sector, Windows XP Professional prevents the virus from self-replicating to other disks.
During normal operation, Windows XP Professional is immune to viruses infecting these disk structures because it accesses physical disks only through protected-mode disk drivers. Viruses typically subvert the BIOS INT 13h disk access routines, which are ignored after Windows XP Professional starts. However, on computers with multiple-boot configurations, such as Windows XP Professional with Microsoft MS DOS , Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows Millennium Edition (Me), an MBR or boot sector virus might infect the computer when you are running another operating system. If this happens, Windows XP Professional is vulnerable to damage.
Viruses that execute their payload during startup are a threat to computers that are running Windows XP Professional because the virus executes before Windows XP Professional takes control of the computer. After Windows XP Professional activates the protected-mode disk drivers, the virus cannot copy itself to other hard disks or floppy disks because the BIOS mechanism on which the virus depends is not used for disk access.
Follow these guidelines to avoid infecting computers with viruses:
Install on your system at least one commercial virus-detection program and use it regularly to check your computers for viruses. Be sure to regularly update the virus signature files. After you install an antivirus program, immediately update the virus signature files from the software manufacturer s Internet site. Check with the software manufacturer s documentation for specific instructions.
| Warning | It is extremely important that you regularly update your antivirus program. In most cases, antivirus programs are unable to reliably detect and clean viruses of which they are unaware. Most commercial antivirus software manufacturers offer frequent updates. Take advantage of the latest download to ensure that your system is protected with the latest virus defenses. |
Before you install Windows XP Professional in a multiple-boot configuration, scan the other operating systems for viruses.
Back up files nightly or as needed so that damage is minimized if a virus attack does occur.
Before opening a file from a floppy disk or before starting a computer from a floppy disk, scan the floppy disk for viruses.
Do not open e-mail attachments from unknown senders. Delete the e-mail and attachments immediately.
When you receive an unexpected e-mail attachment from someone you know, verify that the sender intended to send you the attachment. Simply scanning the attachment for viruses is not sufficient because a new virus can propagate without the sender s knowledge. A virus scanner that does not know about the new virus might not catch the virus.
If the sender did not intend to send you the attachment, permanently delete the e-mail without opening it.
Never run a file that has a .vbs or .js file name extension unless you know exactly what it is going to do before you run it.
Regularly check the Microsoft Windows Update Web site and the Microsoft Office Update Web site for patches that fix vulnerabilities and provide security enhancements. In addition, independent software vendors (ISVs) might also provide security-related patches for other programs installed on the computer. For more information, see the Windows Update and Microsoft Office Update links on the Web Resources Page at http://www.microsoft.com/windows/reskits/webresources
Configure the security settings in Microsoft Internet Explorer to protect against downloading infected files or malicious scripts. For more information about protecting computers from unsafe software, see Internet Explorer Help.
Do not allow users to log on as members of the Administrators group on their own computers because viruses can do more damage if activated from an account with Administrator permissions. Allow users to log on as members of the Users group so that they have only the permissions that are necessary to perform their tasks.
Configure Windows Explorer and My Computer to show extensions for known file types, show hidden files and folders, and show protected operating system files. For example, a malicious file with the name Report.doc.vbs appears in Windows Explorer and My Computer as Report.doc unless you deselect the option to hide extensions for known file types. To change these settings, in My Computer, click the Tools menu, click Folder Options, and then click the View tab.
To remove a virus from your computer, use a current, well-known commercial antivirus program that is compatible with Windows XP Professional. In addition to scanning the hard disks on your computer, be sure to scan all floppy disks that have been used in the infected computer, in any other computers, or with other operating systems in an infected multiple-boot configuration. Scan floppy disks even if you believe they are not infected. Many infections recur because one or more copies of the virus were not detected and eliminated.
If the computer is already infected with a boot sector virus and you install Windows XP Professional into a multiple-boot configuration, standard antivirus programs might not completely eliminate the infection because Windows XP Professional copies the original MS DOS boot sector to a file called Bootsect.dos and replaces it with its own boot sector. The Windows XP Professional installation is not initially infected, but if the user chooses to start MS DOS, Windows 95, Windows 98, or Windows Me, the infected boot sector is reapplied to the system, reinfecting the computer.
Do not depend on the MS DOS command Fdisk /mbr, which rewrites the MBR on the hard disk, to resolve MBR infections. Many newer viruses have the properties of both file infector and MBR viruses, so restoring the MBR does not solve the problem if the virus immediately reinfects the system. In addition, running Fdisk /mbr in MS DOS on a system infected by an MBR virus that does not preserve or encrypt the original MBR partition table permanently prevents access to the lost partitions. If the disk was configured with a third-party drive overlay program to enable support for large disks, running this command eliminates the drive overlay program and you cannot start up from the disk.
| Caution | Before you use the Fdisk /mbr command, note the following:
|
The Recovery Console, a troubleshooting tool in Windows XP Professional, offers a feature called Fixmbr. However, it functions identically to the Fdisk /mbr command, replacing only the master boot code and not affecting the partition table. For this reason, it is also unlikely to help resolve an infected MBR.
For more information about the Recovery Console, see Tools for Troubleshooting in this book.