VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

You've picked random article, here is the actual link to the

Windows NT and Viruses

Alan Solomon

[Back to index] [Comments]

As the use of Windows NT continues to grow throughout the corporate world, it becomes increasingly important to understand what impact viruses have under Windows NT.

Boot Sector Viruses

If a PC running Windows NT is booted normally, the system prevents attempts to write to track 0, or the boot sector. On the face of it, this may appear to limit the ability of boot sector viruses to infect the system, given that boot sector viruses write to the partition sector [Master Boot Record, MBR] or the boot sector of the hard disk.

Of course, direct disk writes are disabled only when Windows NT is up-and-running. And boot sector viruses infect at a BIOS level, before any operating system [DOS, Windows 3.x, Windows 95, Windows NT, OS/2, Novell NetWare, etc.] has been loaded. So while it may prevent any program from writing to the start of the hard disk 'post festum', after Windows NT has been loaded, it will not prevent infection by a boot sector virus. If an infected floppy disk is accidentally left in drive A and re-booted, the virus will write its code to the partition sector or boot sector.

However, although boot sector viruses infect at a BIOS level, they are designed to run in real mode, as DOS TSRs. And since Windows NT is a protected mode operating system, boot sector viruses are unable to operate under Windows NT. When an infected PC is re-booted, the virus will not be active in memory and will not infect other floppy disks accessed in the PC.

It follows from this that as use of Windows NT grows, boot sector viruses will slowly decline. In the meantime, however, PCs running Windows NT remain susceptible to any damaging payload which a boot sector virus may carry. If a boot sector virus triggers [Telefonica virus, for example, trashes the hard disk after 400 re-boots], the damage is carried out before the operating system has been loaded, using the BIOS to write to the disk. For this reason, it is important to ensure that PCs running Windows NT are protected against infection by boot sector viruses.

Executable File Viruses

It is possible to infect Windows programs, so there is nothing in the structure of these files which prevents infection. Indeed, a handful of Windows-specific viruses have been written [including Boza virus, which infects 32-bit programs]. However, the Windows-specific viruses we have seen so far have been direct-action viruses; that is, they do not attempt to go memory resident, but rely instead on infecting other programs when the infected program is executed. As a result, these viruses have had limited success in spreading [TSR viruses, which reside in memory and intercept functions performed by the operating system have always been much more successful].

Most executable file viruses are designed to go memory resident. However, they are written as DOS TSRs; and, for this reason, their ability to spread under Windows NT is limited. If a program infected with an executable file virus [Jerusalem, Cascade, Yankee Doodle, etc.] is run in a Windows NT command session, it will only infect other 16-bit programs run in the same session. It will not go 'globally resident' and infect programs run 'across the board' under Windows NT.

It is not inconceivable that, at some point in the future, viruses will be written to actively monitor, and intercept, disk or file activity. Such viruses would be able to spread more effectively. [We have already seen one [unsuccessful] attempt to write a virus which operates as a VxD under Windows 95.] Although it is much less straightforward to write such programs for non-DOS operating systems, it is possible to do so [anti-virus vendors are able to write programs to monitor disk and file activity under Windows NT, for example; if anti-virus programs can function in this way, virus programs could also be written to do so.

Existing executable file viruses, however, look likely to decline as the corporate world [and home users] move away from DOS-based operating systems.

Macro Viruses

Macro viruses pose the greatest threat to users of Windows NT. They have already had a marked effect. Since the appearance of WM/Concept, in July 1995, we have seen over 1,000 macro viruses. Macro viruses [such as WM/Concept, WM/Wazzu, WM/Npad, WM/MDMA, WM/Cap and others] form the greater part of viruses reported to Technical Support at Dr Solomon's. And while most cause no damage to data, we have already seen macro viruses which threaten data. If instructions within a macro make calls to a specific operating system [as with the WM/FormatC macro trojan], they will be restricted to that particular operating system. However, the WM/MDMA virus demonstrates that it is possible to accommodate this; WM/MDMA gets round this restriction by including variable payloads for different operating systems.

Macro viruses are not confined to Microsoft Word for Windows. In January 1996, the first macro virus to infect Lotus AmiPro files [APM/GreenStripe] appeared. Unlike Word for Windows, in which macros are directly linked to document and template files, AmiPro macros are contained in a separate file; this makes it possible to exchange AmiPro documents [for example, via e-mail] without exchanging infected macros. For this reason, AmiPro macro viruses are likely to spread less effectively.

However, we have seen viruses written to infect Microsoft Excel for Windows [the first working Excel for Windows macro virus was XM/Laroux, which appeared in July 1996]. It does not take a great deal of imagination to see the possible consequences which might arise from a virus making modifications to spreadsheets. Looking ahead, Microsoft Office 97 opens up the possibility of viruses which infect macros attached to Microsoft PowerPoint files.

Macro viruses have become a major threat to PC users, for several reasons.

  1. Macros which infect Microsoft Word for Windows or Microsoft Excel for Windows are written in WordBasic. This is easily accessible to many PC users; and macros are much easier to write than executable file viruses [written, for the most part, in assembly code].
  2. They infect data files, rather than executables. Data files, to which macros are attached, provide viruses with a more effective replication method than executable files. Data files are exchanged far more frequently than executable files. The development of macro viruses has taken place parallel with the increased use of e-mail [and the ability to attach files to e-mail], and mass access to the Internet [and on-line services like CompuServe and America Online]; this makes macro viruses a much greater threat to computer users than executable file viruses and boot sector viruses.
  3. Macro viruses are not platform-specific. There are versions of Microsoft Word for Windows 3.x, Windows 95, Windows NT and Macintosh. This makes all of these operating systems susceptible to macro viruses.
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org