Preventing and Repairing Executable File Viruses

The best way to prevent against file viruses is to scan every incoming program for viruses using a virus scanner. If your organization uses a medium-to-large-sized network, you should scan all incoming files on a stand-alone PC before they are used on any machine connected to the network.

Behavior blockers also can be used to detect virus activity for those new viruses that sneak past the antivirus scanner.

Even the seasoned user considers repairing file virus infections difficult. The most effective way to repair infected program files is to replace them from uninfected, backup copies. If backups are not available, use an antivirus program to repair the infected executable files.

Repairing Files Infected with a Read-Stealth Virus

Although file virus repair is usually best left to an antivirus program, it is possible, in some instances, for the user to repair files that are infected by a read-stealthing virus.

While the virus is memory resident on the computer, complete the following steps:

1.  Copy every .EXE executable file to an extension of .XEX.

2.  Copy every .COM executable file to an extension of .MOC.

3.  Delete all EXE and COM files on the machine, leaving only the backed-up copies.

4.  Cold boot from a write-protected, uninfected DOS floppy boot disk.

5.  Rename all .XEX files to .EXE and all .MOC files to .COM.

6.  Reboot the computer.

When the user copies the PROGRAM.EXE file to the PROGRAM.XEX file, the DOS command shell generates two “open file” system service requests to open PROGRAM.EXE and PROGRAM.XEX. The virus’ resident handler intercepts the first request, determines that it’s dealing with an infected executable program, and disinfects the program, writing the cleansed program back to the disk.

The virus also intercepts the second “open file” request, but because this file is not an executable file (the extension is not .COM or .EXE), it does not perform any further processing on the file. The recently cleansed version of the program is then copied to the XEX file, and the DOS command shell issues two “close file” service requests.

Again, the virus intercepts both requests. The first request closes the PROGRAM.EXE file. The virus detects that it’s dealing with an executable program (the extension is .EXE), and reinfects the program. However, the second request closes the PROGRAM.XEX file which, according to the virus, is not an executable file. Thus, the file is closed normally, and contains the uninfected contents of the original .EXE file. Next, the user deletes the infected .EXE, leaving the uninfected .XEX file.

At this point, the virus has been removed from the copy of the executable file, but it is still resident in the computers memory. Therefore, the user must boot from an uninfected DOS floppy disk, so that the virus never has a chance to install itself into memory. After the user boots from the floppy, he can safely rename each backed up file to its original name; because the virus is not resident on the computer, it cannot intercept the “file open” and “file close” system service requests to reinfect the programs.

So How Do the Antivirus Programs Do It?

Antivirus programs typically use their virus scanner component to detect and repair infected program files. If a file is infected by a nonoverwriting virus (one that allows the original program to execute after it does its dirty work), then the program can most likely be repaired successfully.

When a nonoverwriting virus infects an executable file, it must store certain information about the host program within its viral body. This information is used to execute the original program after the virus finishes executing. If this information is present in the virus, the antivirus program can locate it, decrypt it if necessary, and copy it back to the appropriate areas of the host file. Finally, the antivirus program can “cut” the virus from the file.

Alternatively, the antivirus program can use integrity information to repair infected programs. See “Integrity Checkers” for more information.

Preventing and Repairing Macro Viruses

Currently, no foolproof ways to prevent macro virus infection exists. Be sure to scan all incoming documents with an antivirus scanner before editing or even viewing documents.

The best way to repair a macro virus infection is to use an antivirus program. Most of the major antivirus manufacturers are adding macro detection and repair capabilities to their antivirus scanners. Microsoft is also distributing a macro-based antivirus program to remove the Word for Windows Concept virus. (This shows how powerful the macro language is!)

Profile: Virus Behavior Under Windows NT

The Windows NT operating system constitutes a paradigm shift from other Microsoft operating systems. It differs from other current PC operating systems in several ways:

•  Doesn’t rely on a resident DOS kernel for system services.

•  Currently supports four different file systems: a FAT-based file system, OS/2’s HPFS, the new NTFS file system, and the MAC file system (on NT servers). An OLE file system is currently under development.

•  Doesn’t rely upon the computer’s ROM BIOS disk drivers, and comes with NT specific software drivers to perform all low-level disk access functions.

•  Automatically prevents all DOS programs executed in DOS boxes from directly writing to hard drives.

This section describes the major virus types and how they function under Windows NT, and native Windows NT viruses.

Master Boot Record Viruses Under Windows NT

MBR viruses typically are acquired in one of two different ways. The first method involves booting off of an infected floppy disk. The second method involves running a “dropper” program from a DOS session that directly “drops” the virus onto the hard drive’s MBR; multipartite computer viruses sometimes attempt this type of infection.