MBR Infection by Booting Off an Infected Floppy Disk

The Windows NT operating system still is susceptible to this type of infection. Because NT doesn’t have control of the computer during system bootup, booting from an infected floppy allows the virus to infect the MBR of any of the physical drives on the system using the usual techniques. This type of infection is quite common and you can expect to see more of the same.

MBR Infection by Running a Dropper Program or Multipartite Virus

Dropper programs and multipartite viruses infect the hard drive’s MBR by using BIOS or DOS services to directly write to the hard drive. Because Windows NT prevents all such writes from within an NT DOS box, this type of infection is completely prevented while NT is running. However, if the computer also can boot to DOS or Windows 95, then the user could boot to one of these operating systems and execute the dropper program or multipartite virus normally.

The NT Bootup Process with MBR Infection

After a virus infiltrates the MBR, future system reboots allow the virus to become memory-resident in the usual fashion. In addition, if the virus contains any type of payload triggered during bootup, this trigger mechanism functions just as it would under a DOS or Windows 95 system. In this way, viruses such as Michelangelo and One-half still can cause significant damage to Windows NT systems.

Upon bootup, after the virus installs itself in memory, it passes control to the original system MBR, which then transfers control to the Windows NT boot record. The boot record then loads the Windows NT loader, which in turn loads the remainder of the operating system. During loading, NT switches into protected mode and installs its own protected-mode disk drivers. These protected-mode drivers are used for all further disk operations; consequently, the original BIOS disk drivers and any virus that “hooked” into these drivers are never activated or used in any way.

After Windows NT starts using its own drivers, the resident MBR virus effectively is stopped in its tracks. Furthermore, unlike Windows 95, NT doesn’t support a “compatibility mode” that allows disk requests to be sent to the original disk drivers (and potentially a virus). These Windows NT characteristics have the following implications:

•  MBR viruses can’t infect other floppy disks after Windows NT has loaded.

•  Under DOS and Windows 95 systems, some viruses (such as the Ripper virus) have the capability to hook into direct disk services that are provided by the computer’s BIOS, and maliciously alter data during disk accesses. Under Windows NT, the virus still can alter bytes retrieved or stored to the disk while the original BIOS disk drivers are used during bootup. Thus, all components of the operating system that are read from disk before the protected-mode disk drivers are employed may become corrupted. However, as soon as the operating system starts using the protected-mode disk drivers, the virus is disabled and can do no further damage.

•  During bootup, the One-half virus encrypts information on the hard drive (on DOS, Windows 95, or Windows NT). On DOS and Windows 95 systems, the One-half virus dynamically decrypts these sectors as they are accessed by the operating system. Because Windows NT cuts the virus off entirely once its protected-mode drivers are loaded, all encrypted sectors remain encrypted and are not dynamically decrypted by the virus. This results in data loss.

•  Stealth viruses cannot function properly after NT loads because the virus routines are never given control. This makes these viruses easy to detect but can cause other problems (see next item).

•  MBR viruses, such as Monkey (which don’t maintain a partition table in the infected MBR sector), cause infected drives to be inaccessible to Windows NT. This occurs because Windows NT reads the partition table from the MBR to determine what logical drives are present on the system using protected-mode disk drivers. Because the protected-mode drivers are used, the virus stealth mechanism is bypassed and the virus cannot present the original, decrypted partition table. As a result, Windows NT reads a garbled partition table and cannot identify the logical drives on the system. Under DOS and Windows 95 systems, the active stealth capabilities of the virus allow it to provide the operating system with the original partition table information, avoiding this problem. (Contrast with following item.)

•  If the virus doesn’t modify the partition table of the MBR, then Windows NT should behave normally, assuming the virus has no payloads that trigger during system bootup.

•  On computer systems that contain no default operating system at the time of Windows NT installation, the Windows NT installation program may choose to start the Windows NT partition on the hard drive’s zero’th cylinder, immediately following the MBR. Consequently, the Windows NT boot sector and operating system loader may occupy sectors on the zero’th cylinder of the hard drive. Most MBR viruses place the original, uninfected MBR sector in this same region. In these instances, the virus can overwrite the Windows NT boot sector or loader program and cause the operating system to crash during bootup.

Boot Record Viruses Under Windows NT

Boot record viruses are typically acquired in one of two different ways. The first method involves booting from an infected floppy disk. The second method involves running a “dropper” program from a DOS session that directly “drops” the virus onto the boot record of the active partition; multipartite computer viruses sometimes attempt this type of infection.

Boot Record Infection by Booting Off an Infected Floppy Disk

The Windows NT operating system still is susceptible to this type of infection. Because NT doesn’t have control of the computer during system bootup, booting from an infected floppy allows the virus to infect the boot record of any of the active partition on the system using the usual techniques. This method of infection is quite common and you can expect to see more of the same.

Boot Record Infection by Running a Dropper Program or Multipartite Virus

Dropper programs and multipartite viruses infect the hard drive’s boot record by using BIOS or DOS services to directly write to the hard drive. Because Windows NT prevents all such writes from within an NT DOS box, this type of infection will be completely prevented while NT is running. However, if the computer can also boot to DOS or Windows 95, then its user could boot to one of these operating systems and execute the dropper program or multipartite virus normally.