Maximize
Bookmark

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Windows 95 and Viruses

Alan Solomon

1
[Back to index] [Comments (0)]

Shortly after Windows 95 was released, we carried out a series of tests designed to see what effect boot sector viruses and DOS executable file viruses would have on the [new] operating system.

More recently [December 1997], we looked again at the impact of boot sector viruses on Windows 95, with quite different results. These tests were carried out on a PC running Windows 95B, using a 32-bit FAT [File Allocation Table].

The PC was first infected with Parity.b. When the PC was re-booted normally, Windows 95 indicated that the hard disk may be infected [displaying the message, 'Your PC may have a virus. The Master Boot Record has been modified.'] and reported that the system was using 'MS-DOS compatibility mode' [rather than its native 32-bit file system]. The virus was memory resident [this was confirmed using FindVirus], but failed to infect a floppy disk accessed in the PC [via a DOS command session or using Windows Explorer].

The results were the same when the PC was infected with Michelangelo.

When the PC was infected with Exebug.d, the PC crashed on boot-up [this happened also on a PC running MS-DOS]. When the PC was re-booted normally, Windows 95 indicated that the hard disk may be infected [displaying the message, 'Your PC may have a virus. The Master Boot Record has been modified.'] and reported that the system was using 'MS-DOS compatibility mode' [rather than its native 32-bit file system]. The virus was memory resident [this was confirmed using FindVirus], but failed to infect a floppy disk accessed in the PC [via a DOS command session or using Windows Explorer]. After removing the virus, Windows 95 loaded in safe mode; but loaded normally after a subsequent re-boot.

Jumper virus produced different results. When the infected PC was re-booted normally, there was no warning that the MBR may be infected. Moreover, 32-bit file access was unaffected. [This is not surprising. Unlike most boot sector viruses, Jumper does not hook interrupt 13; and so does not affect 32-bit file access.] Other than this, the effects were the same. The virus was memory resident [this was confirmed using FindVirus], but failed to infect a floppy disk accessed in the PC [via a DOS command session or using Windows Explorer].

When the PC was infected with Form virus, the PC failed to boot [displaying the message, 'Type the name of the Command Interpreter (e.g. C:\WIN\COMMAND.COM)']. When the PC was booted with a system disk, the hard disk was inaccessible ['Invalid media type reading drive C']. This is not surprising. Form infects the boot sector of hard disks. However, the boot sector [which occupies three sectors] has changed since the introduction of a 32-bit FAT. The PC booted normally after the virus had been removed.

The PC crashed on boot-up after infection with Dodgy virus. When the PC was re-booted normally, there was no warning that the MBR may be infected. However, the system reported that 'Some drives are using MS-DOS compatibility'. Unlike the other viruses used in the tests, Dodgy successfully infected floppy disks [via a DOS command session or using Windows Explorer]. The reason for this is that Dodgy deletes the file C:\WINDOWS\SYSTEM\IOSUBSYS\HSFLOP.PDR, the file responsible for Windows 95's direct file access.

deenesitfrplruua