WINDOWS 95 AND VIRUSES
By David Emm

With the growth in the use of Windows 95, it becomes increasingly important to understand the way in which viruses will operate under Windows 95. We examined a number of different viruses, most of which are 'in the wild', to see how effectively they are able to spread and what impact they have on a Windows 95 system. We focus here on the following areas: 

(1)  Windows 95 and boot sector viruses;
(2)  Windows 95 and file viruses [including multipartite viruses, like Natas];
(3)  Windows 95 and macro viruses;
(4)  Protecting your system;
(5)  Conclusions.

(1) WINDOWS 95 AND BOOT SECTOR VIRUSES

If a PC running Windows 95 is booted normally, the system prevents attempts to write to track 0, or the boot sector. A message is displayed, informing the user that direct disk access has been disabled, and the system is halted [requiring the user to press <Ctrl> <Alt> <Del> to re-start the computer]. On the face of it, this may appear to limit the ability of boot sector viruses to infect the system, given that boot sector viruses write to the partition sector [Master Boot Record, MBR] or the boot sector of the hard disk.

However, direct disk writes are disabled only when Windows 95 is up-and-running. And boot sector viruses infect at a BIOS level, before any operating system [DOS, Windows 95, Windows NT, OS/2, Novell NetWare, etc.] has been loaded. So while it may prevent any program from writing to the start of the hard disk 'post festum', after Windows 95 has been loaded, it will not prevent infection by a boot sector virus. It is also worth noting that Tequila virus was able to write to that partition sector successfully [see (2) below].

Of the boot sector viruses we looked at [Form, Empire Monkey, Parity.b, Stealthboot, Jumper, Telefonica, Purcyst, Beijing, Michelangelo and Exebug], all were able to infect the hard disk.

When a PC infected with a boot sector virus is re-booted normally, Windows 95 loads in 'MS-DOS compatibility mode', rather than using its native 32-bit file system. However, this is not immediately apparent: it is only when you dig a little deeper into the system, or attempt to load a 32-bit application, that it becomes apparent; otherwise, the 'look and feel' is the same.

After the initial infection, when the PC is re-booted 'dirty', Windows 95 produces a 'Performance Dialog' dialog, containing the following message:

WARNING: Your computer may have a virus. The Master Boot Record on your computer has been modified. Would you like to see more information about this problem?

There are several important things to note about this dialog:

All the viruses looked at went memory resident under Windows 95. Most of these were able to infect floppy disks, although a small number caused problems which would be noticed by the user; these are detailed below:

Stealthboot successfully infected floppy disks, but appeared to go into a continuous loop when trying to infect an infected floppy disk;

Telefonica failed to infect floppy disks;

Michelangelo successfully infected floppy disks, but an attempt to read an infected floppy disk produced a 'General Failure Reading . . .' [this occurs under DOS and Windows 3.xx also; Michelangelo was 'designed' for 360Kb floppy disks and contains a bug which leads it to mis-handle high density disks].

Several of the viruses looked at are stealth viruses; that is, they are designed to conceal themselves when active in memory [Empire Monkey, Parity.b, Steathboot, Telefonica, Purcyst and Exebug]. All of these stealth viruses were able to stealth effectively under Windows 95. Of course, any good anti-virus product should detect stealth viruses in memory.

In general, removal was very straightforward. Most of the viruses could be removed by booting from either a DOS system disk, or a Windows 95 system disk [that is, a disk formatted in command line session, with the syntax FORMAT A: /U /S] and running 

        FINDVIRU C: /REPAIR

However, in the case of Empire Monkey, an attempt to boot from a Windows 95 system disk caused the PC to hang. Our advice to users of Windows 95, therefore, is to retain their original DOS system disk; or to use Dr Solomon's 'Magic Bullet'.

(2) WINDOWS 95 AND FILE VIRUSES

All the viruses looked at are DOS file viruses [Yankee Doodle, Cascade, Jerusalem, Frodo, Tequila and Natas]. Of these, Tequila and Natas are multipartite viruses; that is, when an infected program is run, the virus then infects the partition sector [MBR]. The infected programs were run in a command line session under DOS.

Yankee Doodle and Cascade went memory resident and replicated normally; but only within a single command line session. Programs run in another command line session remained uninfected by these viruses.

Any attempt to run a program infected with Jerusalem virus caused the command line session to crash. The system as a whole remained stable, however; and this session could be closed using <Ctrl> <Alt> <Del>.

It was possible to run a program infected with Frodo. However, Windows 95 crashed [after displaying a 'fatal exception' error] when an attempt was made to task-switch. This may be explained possibly by the fact that Frodo attempts to modify the partition sector [to add its payload routine]. When the PC was re-booted, Windows 95 loaded normally. An examination of the partition sector showed it to be unchanged.

We were able to run a program infected with Natas. However, on attempting to run an uninfected program in the same command line session, Windows 95 crashed [after displaying a 'fatal exception' error]. When the PC was re-booted, Windows 95 loaded normally. An examination of the hard disk showed no signs of Natas.

Tequila successfully infected the partition sector [also KRNL386.EXE and COMMAND.COM] when an infected program was run. Tequila goes memory resident only after the PC is re-booted from an infected partition sector: however, an attempt to re-boot the system caused a 'Windows protection error' and a 'Write fault error writing device AUX' on successive re-boots.

(3) WINDOWS 95 AND MACRO VIRUSES

Concept and Nuclear viruses infected and replicated in the same way under Windows 95 as they do under Windows 3.xx [see Virus Report, Issue No. 1].

(4) PROTECTING YOUR SYSTEM

When Windows 95 is up-and-running, WinGuard provides comprehensive protection against virus infection. Any disk accessed [using Explorer or in a command line session] is checked for boot sector viruses; and files are checked when copied or executed. For additional security, WinGuard performs an initial memory check when it loads.

It is important to remember, however, that DOS lies underneath Windows 95 [if you press <Esc> during boot-up, you will see a standard AUTOEXEC.BAT loading, for example]. DOS is the active operating system until Windows 95 has loaded. Moreover, it is possible to re-boot the system in 'MS-DOS compatibility mode'. In both cases, a DOS-based TSR is required to provide on-access protection for a Windows 95 PC. VirusGuard, loaded from AUTOEXEC.BAT, provides comprehensive protection during boot-up and if the PC is booted in 'MS-DOS compatibility mode'.

(5) CONCLUSIONS

In general, boot sector viruses are able to infect and replicate successfully under Windows 95, which requires the same degree of anti-virus protection as a DOS/Windows 3.xx system.

This is equally true for macro viruses, which target applications like Word for Windows, rather than the operating system itself.

File viruses, and multipartite viruses, appear to have less scope to replicate under Windows 95. Some like Cascade, are able to infect and replicate only within a single session. Others, like Jerusalem or Tequila, are likely to produce system errors. Precisely because the operation of file viruses is less 'smooth' under Windows 95, they may cause adverse side-effects which do not occur under DOS. For this reason, it is essential to deploy effective anti-virus measures which will ensure that the PC remains virus-free.