|
Previous | Table of Contents | Next |
MBR Infection by Booting Off an Infected Floppy Disk
The Windows NT operating system still is susceptible to this type of infection. Because NT doesnt have control of the computer during system bootup, booting from an infected floppy allows the virus to infect the MBR of any of the physical drives on the system using the usual techniques. This type of infection is quite common and you can expect to see more of the same.
MBR Infection by Running a Dropper Program or Multipartite Virus
Dropper programs and multipartite viruses infect the hard drives MBR by using BIOS or DOS services to directly write to the hard drive. Because Windows NT prevents all such writes from within an NT DOS box, this type of infection is completely prevented while NT is running. However, if the computer also can boot to DOS or Windows 95, then the user could boot to one of these operating systems and execute the dropper program or multipartite virus normally.
The NT Bootup Process with MBR Infection
After a virus infiltrates the MBR, future system reboots allow the virus to become memory-resident in the usual fashion. In addition, if the virus contains any type of payload triggered during bootup, this trigger mechanism functions just as it would under a DOS or Windows 95 system. In this way, viruses such as Michelangelo and One-half still can cause significant damage to Windows NT systems.
Upon bootup, after the virus installs itself in memory, it passes control to the original system MBR, which then transfers control to the Windows NT boot record. The boot record then loads the Windows NT loader, which in turn loads the remainder of the operating system. During loading, NT switches into protected mode and installs its own protected-mode disk drivers. These protected-mode drivers are used for all further disk operations; consequently, the original BIOS disk drivers and any virus that hooked into these drivers are never activated or used in any way.
After Windows NT starts using its own drivers, the resident MBR virus effectively is stopped in its tracks. Furthermore, unlike Windows 95, NT doesnt support a compatibility mode that allows disk requests to be sent to the original disk drivers (and potentially a virus). These Windows NT characteristics have the following implications:
Boot record viruses are typically acquired in one of two different ways. The first method involves booting from an infected floppy disk. The second method involves running a dropper program from a DOS session that directly drops the virus onto the boot record of the active partition; multipartite computer viruses sometimes attempt this type of infection.
Boot Record Infection by Booting Off an Infected Floppy Disk
The Windows NT operating system still is susceptible to this type of infection. Because NT doesnt have control of the computer during system bootup, booting from an infected floppy allows the virus to infect the boot record of any of the active partition on the system using the usual techniques. This method of infection is quite common and you can expect to see more of the same.
Boot Record Infection by Running a Dropper Program or Multipartite Virus
Dropper programs and multipartite viruses infect the hard drives boot record by using BIOS or DOS services to directly write to the hard drive. Because Windows NT prevents all such writes from within an NT DOS box, this type of infection will be completely prevented while NT is running. However, if the computer can also boot to DOS or Windows 95, then its user could boot to one of these operating systems and execute the dropper program or multipartite virus normally.
Previous | Table of Contents | Next |