2.1) LongFileName Directory Entries
2.2) Windows 95 Writes to Diskette OEM Fields
2.3) I Didn't Have a Label For My Harddisk, But Now
I do
2.4) Windows 95 Says You Have a Boot Sector Virus
2.5) SUHDLOG.DAT
6.1) ChipAway Virus Enabled
6.2) Traces of a Virus Found in Memory
6.3) Virus Found in ANTIVIR.DAT
6.4) Loading Bootstrap...
6.5) Something is Writing to Your Boot Sector...
Acknowledgments
Appendix A: The Directory Entry
Appendix B: The DOS Boot Record
Appendix C: Beep Codes
The "Virus Lab" is a misnomer. But "Where They Explain to You Why it's NOT a Virus" just doesn't have the same ring. However, each day, far more cases of "Not A Virus" are reported by customers than actual cases of virus infections. This phenomenon is true at all levels of customer support. So, instead of talking about some neat, new antivirus technology, I hope to be able to help you with something useful in your everyday work.
Urban legends have inundated the computer virus world such that any computer malady is blamed on a computer virus being in the system. But there are multitudes of situations blamed on viruses which are not. This paper is based on many customer situations through McAfee's Technical Support, questions raised on the Internet, with experience and contribution from the Tech Support or Customer Support of other companies in the industry.
At memory location 40:13 is a word representing how much base memory is in the machine. The value usually found at 40:13 is 280h which means the machine has its full complement of 640K (655,360). Utilities such as CHKDSK or MEM can be used to fetch this value.
Starting with the introduction of the IBM PS/2 in 1987, IBM and then others, started to fake the total memory count by one K or two by decrementing this number and using the space for additional system storage space. For IBM, this area was referred to as the Extended BIOS Data Area (EBDA). The IBM PS/2s reserved 1K.
It is true that most boot sector viruses do steal memory from 40:13 and place themselves at the memory it has reserved by doing so. So, when a user sees something other than 640K, he usually jumps up a nd down about having a virus.
Since DOS supplies other methods to reserve memory, in finer granularity than 1K, most software solutions will use DOS to reserve memory. However, many things which I call "hardware related software" (such as drivers for monitors, drivers for ROM addons, etc.), that require the use of some memory but cannot address DOS to reserve memory, will also "steal" a K or two using this architected way of reserving memory.
Officially, the architecture for this mechanism includes the requirement to store a word at xxxx:0 with the value of how many K is reserved in that block. Thus correct implementation of this scheme has values like this (assuming 640K available in system):
40:13 Address Value
0280h (full 640K)
027Fh 9FC0:0000 1
027Eh 9F80:0000 1
9FC0:0000 1
or
9F80:0000 2
etc.
So, if less than 640K is reported, check the memory using the table above. If there is a boot sector virus in memory, chances are, you will also find the values 55h AAh near the top of memory at a memory address of xxxx:xxFE.
On November 13th, some PCs around the world will play the Happy Birthday song through the PC speaker.
A "former" programmer at American Megatrends managed to sabotage a BIOS run. The specific information is listed below:
BIOS Manufacturer: American Megatrends
BIOS Version: M82C498 Evaluation BIOS v1.55
BIOS Category: IBM PC/AT
BIOS ID Bytes: FC 01 00
BIOS Date: 04/04/93
If you have one of these BIOS chips, you can contact AMI to get a replacement.
The way Windows 95 manages its LongFileNames is to use a trick associated with volume labels. According to documentation (See Appendix A.), if the volume label bit is set, all other information in that directory entry is ignored.
Here is a sample of a Windows 95 directory as interpreted by DEBUG (uninteresting parts chopped out to save space):
0E0 41 50 00 72 00 6F 00 67-00 72 00 0F 00 20 61 00 AP.r.o.g.r... a. 0F0 6D 00 20 00 46 00 69 00-6C 00 00 00 65 00 73 00 m. .F.i.l...e.s. 100 50 52 4F 47 52 41 7E 31-20 20 20 11 00 00 00 00 PROGRA~1 ..... 110 00 00 00 00 00 00 CC 80-17 1F 81 1E 00 00 00 00 ................ 180 41 45 00 78 00 63 00 68-00 61 00 0F 00 15 6E 00 AE.x.c.h.a....n. 190 67 00 65 00 00 00 FF FF-FF FF 00 00 FF FF FF FF g.e............. 1A0 45 58 43 48 41 4E 47 45-20 20 20 10 00 78 BC 81 EXCHANGE ..x.. 1B0 17 1F 17 1F 00 00 BC 81-17 1F 38 16 00 00 00 00 ..........8..... 1C0 43 4F 4D 4D 41 4E 44 20-43 4F 4D 20 00 00 00 00 COMMAND COM .... 1D0 00 00 6E 20 00 00 40 4E-EB 1E 3D 42 C6 6A 01 00 ..n ..@N..=B.j..
Here is the output of DiskEdit as it interprets the above information:
Name .Ext Size Date Time Cluster Arc R/O Sys Hid Dir Vol
------------------------------------------------------------------------
AP 7536741 3-12-80 12:03 am 0 R/O Sys Hid Vol
PROGRA~1 0 8-23-95 4:06 pm 7809 R/O Dir
AE 4294967295 15-31-7 7:63 pm 0 R/O Sys Hid Vol
EXCHANGE 0 8-23-95 4:13 pm 5688 Dir
COMMAND COM 92870 7-11-95 9:50 am 16957 Arc
This behavior by Windows 95 is often misinterpreted by unsuspecting users as a virus which creates HUGE illegal files onto their drives, or as a virus which corrupts file entries.
All it actually is, is people looking at absolutely correct information with inappropriate tools.
With Windows 95, when you insert a diskette into the drive, it will write to the diskette OEM Name field (see Appendix B). I believe this is done for volume change detection. If the diskette is not write-protected, Windows 95 will write 4 random characters plus the 3 letters "IHC".
This activity has sometimes been interpreted as a virus constantly writing to diskettes. After all, the user has done nothing of note to cause a write to the diskette.
[Curiosity item: IHC and 4 spaces makes one believe that at one point, "OGACIHC" was the string being written in this location. "Chicago" was Microsoft's codename for Windows 4.0 which was later renamed to Windows 95.]
Every disk is allowed to have a label. One can assign a label to a disk by using the LABEL command supplied with DOS. When the LABEL command is used, it creates a directory entry with the volume label bit enabled.
The first entry with a label bit in the root directory is interpreted to be the label of the disk.
If we look at Appendix A, you will note that if the label bit is set, all other fields are ignored. Windows 95 uses this trick for its LongFileName entries.
If you did not initially give your disk a label, the first LongFileName will then satisfy the LABEL criteria. And your disk will now bear a weird looking LABEL name.
Windows 95 has a dialogue box which will show up on certain occasions. It is true most of the time that if the box shows up, you do indeed have a virus. However, the mechanism behind this determination is that the INT 13h vector has been changed.
Again, the most likely thing is indeed that a boot sector virus was responsible for this change. However, installation of certain security related software may also result in the report of this message.
SUHDLOG.DAT is a file found on Windows 95 systems. It contains images of the master boot record (partition sector) and boot sectors of your hard disks. Therefore, if a boot sector virus had once gotten on the machine, it will be saved in the file SUHDLOG.DAT. Depending on the technology used by the scanner involved, scanning the file might produce a warning of a boot virus in the file.
Why is this not a virus? After all, it does indicate that a boot virus had at one point been on the machine.
If this occurs, it means a virus was once on the machine. It does not mean that the file is infected by a boot sector virus. After all, a boot sector virus is being reported in a file. But do boot clean and check the system. Also, delete the file.
This is a hidden file to mark the swap space used by Windows 3.x. Swap space allows an operating system (or normal executable) to write things that are not currently being used, onto disk and free up RAM memory for things that need to be there.
Sometimes, a scanner will detect a virus in this file. There are a number of possible causes for this:
To remove or adjust its size, use the interface found in 386 Enhanced settings in the Control Panel. One last note, a "really big" swap file does not necessarily mean faster speed. There is an optimal setup for your machine depending on how you use it.
The arrow used by Windows to show where the mouse currently points is something called a sprite. There's a whole different science for how to deal with sprites.
In this case, Windows simply wasn't able to read in the sprite associated with its current environment. Thus, the sprite is just a black box.
Pipes, the concept of allowing output from one program to be used as input to another program, was an afterthought of DOS introduced in DOS 2.0. The method of implementation was to direct the output of one process to be written to a file. The first program finishes execution. Then the second program runs. It reads from this temporary file and uses it as its input stream.
This temporary file is created in the directory designated by the TEMP environment variable.
As it happens, DOS creates 2 temporary files for the process "DIR | MORE". These two files have names generated as some random set of 8 characters. Thus, each invocation creates 2 differently named files.
No one happenstance generates more phone calls and questions than this one.
[I happen to use NDOS, a derivative of 4DOS. It also creates temporary files in the directory designated by the TEMP environment variable. But, this set of circumstances only creates one file and it is always a constant name.]
This is the issue of infinitely recursive subdirectories. Looking at Appendix A, you will see that one of the fields represents the cluster number of the subdirectory. Thus, if you replace the cluster number of a subdirectory with the cluster number of the directory itself, you can generate this scenario.
Well, that's not all that easy to do, except... if you're in the root directory. Any subdirectory with its cluster number set to 0 will point back to the root directory. So, if you overlay a random data file over the root directory, a random byte will have the subdirectory bit set and if there happens to be a NULL in the cluster field, you will create this situation.
A version of CorelDraw 5.0 had the capability of presenting the message "Where's Waldo?" to the user. If you hear this from a user, ask first if he's using CorelDraw.
No virus currently presents this message to the user.
Ever since Macro Viruses for Word for Windows came into being, there have been many people attributing any Word Perfect problem to "Is this a new Word Perfect virus?"
Until you hear otherwise, the answer is, "No."
Presently, Word Perfect manages its macros in a separate file from that of the text. Since it's the macros that would contain a virus, should there ever be one, and since people don't generally pass macros when they pass around Word Perfect documents, chances of a Word Perfect virus becoming a threat to users is close to nil.
It's probably the worst marketing choice for a program name I've ever come across.
The truth is, UNWISE.EXE is a program called Wise Uninstall which is included with some Windows shareware programs.
A particular antivirus product instituted in BIOS has inappropriately chosen the activation messages of "ChipAway Virus Enabled." When this phrase is seen during the bootup process, it represents that this product has been activated.
While this message is the message presented by McAfee's Scan, it represents the concept of one antivirus product finding another antivirus' strings in memory. One of the best known of this circumstance is the combination of Scan and CPAV/MSAV. Running CPAV and then SCAN will usually generate this message.
In 6.2, we showed circumstances where one antivirus product locates another in memory. There is also the circumstance of one antivirus finding strings in another antivirus' data files or TSR executables. This is especially true now that there are heuristic analyzers.
What the heuristic analyzers are perhaps finding are viral snippets that are used to identify viruses. But it is not the complete virus.
A similar situation arises when some antivirus packages are used to scan data files when "Scan All Files" is chosen. In this situation, the viruses "detected" are usually some kind of polymorphic virus. This brings forth the issue, "Should you be scanning all files?" My answer is, each product is presented to you with a default mode. Careful thinking is applied to choose the right set of defaults. Yet no product that I'm aware of has a default setting of scanning all files. All products recommend a certain configuration. Think about that.
[The chance that an antivirus package is distributed with a virus is actually relatively high if you are not downloading the package from a known and trusted site. Antivirus packages have been known to be trojanized many times in secondary redistribution channels.
Be safe. Download originals from official supported sites.]
This is a message placed by SCAN in the MBR bootup process after it has cleaned certain boot sector viruses. Because the user has just completed an encounter with a virus, he is very alert to any new strangeness he encounters. Seeing this new message, he immediately believes this is something laid by the virus.
This message has been removed as of last summer.
Antivirus products vary in technology. One technology implemented by some antivirus products is called behavior blocking. However, use of this technology often involves giving too much power to users who do not understand the capabilities nor the circumstances.
The most common behavior blocking issue raised to our technical support is, "Something is writing to my boot sector!" This could be a virus. But it could be that the user just typed FORMAT.
I would recommend, in a corporate environment, you allow users to decide for themselves whether they wish to run a behavior blocker. If the user is unaware that he is using behavior blocking technology, you will be confronted with more non-virus cases than situations where it actually stopped a virus. Yet, you may decide that you would be able to live with a 10 to 1 non-viral to viral ratio because the one virus infection that it catches costs more to clean up than the on-going support.
The choice of using an antivirus is the determination that the cost of running an antivirus is less than the cost of cleaning up after virus infections. Therefore, only you can evaluate the cost for your organization.
Users of Apple's Macintosh have been mystified by the occasional occurrence of the string "welcome datacomp" appearing amidst their typed text, knowing that they hadn't typed it. This has been traced to a particular make and model of a third-party Macintosh-compatible keyboard. This string is apparently programmed into the keyboard's ROM.
From the alt.comp.virus FAQ:
"It appears to be a practical joke, coded into the keyboard's ROM, that causes the keyboard to output that text (as if it was typed) after a period of keyboard inactivity. The only practical fix is to replace the keyboard."
If your Mac has this date, it's time to replace the battery. This is the default, time-0 for the Mac.
"If you see Good Times in the subject header of your message, delete it!"
Actually, this is good advice, because the rest of the message is bound to be worthless.
A message warning of the Good Times virus first appeared in November of 1994. The warning for the virus reports that if you read a message with "Good Times" in the title, your hard disk will be damaged beyond repair as well as a number of other wondrous things. When the reports first surfaced, the report was easily and quickly dismissed. Nothing can have such effects across the spectrum of operating systems and processors as claimed by this omnipotent e-mail virus.
However, fall of 1995 saw a resurgence of messages warning again of the Good Times virus. It is believed that news stories regarding macro viruses lent more credence to the e-mail aspects of the report. But, the story remains a hoax. The things it claims to be possible across the spectrum of e-mail programs remain an impossibility.
The reports continue to spread. And in effect, the message itself has become the virus.
To try to give credibility to the Good Times story, some virus writers immediately created a virus using one of the virus creation programs with the name "Good Times" inside the virus. The antivirus community, seeking to insure that no confusion came about from this, named this virus GT-Spoof.
FormatC is a trojan horse written as a Word document. It is a Word document which contains one macro which does a call to execute the DOS command FORMAT. It was written and posted to an Internet newsgroup.
Because it was written during the initial hoopla over Word macro viruses, many people have also included FormatC in their list of Word macro viruses. Also, many people freely associate trojan horses as viruses. Thus FormatC is often referred to as a virus. It is not. It is a trojan horse.
It is being discussed here because it may have had a bearing on lending credibility to the Good Times scare.
Because every unknown computer malady has been associated with viruses, many pieces of damaged hardware have been attributed to viruses as well. In order to explain the issue of viruses destroying hardware, we must step back and explain the concept of software destroying hardware.
The truth behind the ability of software to destroy hardware is that generic software cannot destroy generic hardware. However, every piece of hardware has recommended parameters of use. Thus, in order to damage hardware, one either uses the hardware outside its recommended parameters or wears it out through repetitive overuse.
No virus has yet to do this. Chances of any virus successfully accomplishing this (and spreading) are not high. In real terms, this issue is myth, not fact.
Remember, the only possible ways to destroy hardware through software is through a directed attack or through repetitive overuse.
All I can say is that it was wonderful to use my Internet connections on Feb 29th. To those who complied with Internet Cleanup Day, thank you.
Dave Chess, IBM
Shane Coursen, Symantec
Sarah Gordon, Command
Tom Simondi
Heather Stern, McAfee; and many others at McAfee
A directory file consists of sequential 32 byte entries:
Byte Description
0-7 Filename
Byte 0 indicates the status of the directory entry.
Value Meaning
00h This entry has never been used. (Directory searches can stop here.)
05h The actual first character is an E5h.
E5h This entry has been erased (it's free).
2Eh Dot. This is the entry which holds information about this directory cluster.
If the second character is also 2Eh, then this entry is dot-dot, or the parent
directory. If the parent directory is the root directory, then cluster number
will be 0000h.
8-10 Filename extension
11 File Attribute
The file attribute is a bit mapped value.
Bit Meaning
01h 1 = Read-only file. If function 3Dh or 6Ch is used to open the file for output,
an error code is returned.
02h 1 = Hidden file. This file is excluded from normal directory searches.
04h 1 = System file. This file is excluded from normal directory searches.
08h 1 = Volume ID in the first 11 bytes. This file is excluded from normal
directory searches. No other fields are interpreted. Windows 95 marks
this bit for its LongFileName entries.
10h 1 = Subdirectory file. This entry points to a subdirectory and thus is not
searched.
20h 1 = (Archive bit) File has been written to and closed. BACKUP and RESTORE
uses this bit to determine if a file has been changed since the last BACKUP.
12-21 Reserved (OS/2 uses some of these bytes)
22-23 File Creation or Last Changed Time
The time is encoded into 16 bits:
Bits Meaning
0-4 Seconds (in 2 second increments)
5-10 Minutes (0-59)
11-15 Hours (0-23)
24-25 File Creation or Last Changed Date
The date is encoded into 16 bits:
Bits Meaning
0-4 Day (1-31)
5-8 Month (1-12)
9-15 Year + 1980 (0-119: 1980-2099)
26-27 First Cluster of the File. One uses this number to index through the File
Allocation Table to determine the chain of the full file. (Standard Intel 16 bit value).
28-31 File Size (standard Intel 32 bit value)
A Boot Record is found on each DOS volume. It describes the media.
Byte Description 0-2 Code
The boot up process passes execution to the sector which is read in. Thus, this code must be able to do something intelligible.
Prior to DOS 4 or 5, the following definition was documented but was not being checked by DOS. Sometime around DOS 4 or 5, DOS started requiring this:
Byte Value Description
0 EB Short jump opcode
1 any Distance of short jump
2 90 NOP
or
0-2 E9 xx xx Jump instruction
3-10 OEM Name Anyone can write anything they want here.
11-12 Bytes per sector
13 Sectors per cluster (must be a power of 2; maximum = 128; real maximum = 64)
14-15 Reserved sectors at beginning
16 Number of File Allocation Tables
17-18 Maximum number of Root Directory Entries
19-20 Total sectors on media
21 Media Descriptor
Bit Description
0 1 = 2 sided 0 = not 2 sided
1 1 = 8 sector 0 = not 8 sector
2 1 = removable 0 = not removable
3-7 reserved = 1
Value Description
F8h Fixed disk
F9h 5.25", double sided, 15 sectors/track
FCh 5.25", single sided, 9 sectors/track
FDh 5.25", double sided, 9 sectors/track
FEh 5.25", single sided, 8 sectors/track
FFh 5.25", double sided, 8 sectors/track
FEh 8", single sided, 26 sectors/track
FDh 8", double sided, 26 sectors/track
FEh 8", double sided, 8 sectors/track
Note: There are more notes on 8" diskettes,
but I don't think they're that pertinent.
22-23 Number of sectors used by a File Allocation Table
24-25 Sectors per track
26-27 Heads
28-31 Hidden sectors
32-35 Huge sectors
36 Physical drive number
37 Reserved
38 Boot signature
39-42 Serial number
43-53 Volume label
54-61 Filesystem type
Value Description
"FAT12 " 12 bit FAT (8 byte string, last 3 are spaces)
"FAT16 " 16 bit FAT (8 byte string, last 3 are spaces)
62- Start of code Usually where the code at 0 jumps to.
A Beep Code is audible output from the machine intended to deliver information when no visible means are possible. Beep codes different, depending on the manufacturer.
IBM POST Audio Error Codes:
1 short beep All OK or Display error 2 short beeps POST error - Error code on CRT, or Display error No beep Power, motherboard Continuous beep Power, motherboard Repeating short beeps Power, motherboard, stuck keyboard key 1 long, 1 short beep motherboard, clock speed too fast 1 long, 2 short beeps Display adapter (MDA, CGA) 1 long, 3 short beeps Enhanced Graphics Adapter (EGA) video RAM 3 long beeps 3270 keyboard card
AMI BIOS Audio POST Codes:
1 short beep DRAM refresh failure 2 short beeps Parity circuit failure 3 short beeps Base 64K RAM failure 4 short beeps System timer failure 5 short beeps Processor failure 6 short beeps Keyboard controller Gate A20 error 7 short beeps Virtual mode exception error 8 short beeps Display memory Read/Write test failure 9 short beeps ROM BIOS checksum failure 10 short beeps CMOS Shutdown Read/Write error 11 short beeps Cache Memory error 1 long, 3 short beeps Conventional/extended memory failure 1 long, 8 short beeps Display/retrace test failed