DOS File Viruses Under a Windows NT DOS Box

Most DOS file viruses function properly under a Windows NT DOS box. Direct action file viruses function in exactly the same manner as they would under a standard DOS or Windows 95 system. These viruses typically use the standard DOS system services that are thoroughly emulated in Windows NT DOS boxes.

Usually, memory-resident file viruses can stay memory-resident within the confines of a Windows NT DOS box. After the virus becomes resident within a given DOS box, it can infect any programs accessed or executed within that DOS box, assuming the user who launched the virus has write access to the target program. The virus cannot spread to other DOS boxes, however, because each DOS box has its own protected memory space. Still, nothing prevents a user from executing infected programs in several DOS boxes. Thus, several independent copies of the virus can be active and infectious at once. Furthermore, if the virus in question has infected the command shell (for example, CMD.EXE or NDOS.COM) used in Windows NT DOS boxes, then every time the user opens a new DOS box, she will automatically launch the memory-resident virus into the box’s memory space. As a result, memory scanning should be performed on a per-DOS box basis.

Windows NT faithfully emulates most DOS functionality within its DOS boxes, and in some ways provides more compatible support than Windows 95 DOS boxes. Memory-resident viruses that hook into the DOS system services within a DOS box can gain control and infect files any time DOS or other programs utilize the system services.

When a user executes a DOS program on a standard DOS machine (without using Windows NT or Windows 95), for example, the command shell generates an “EXECUTE PROGRAM” system service request to the DOS kernel. Many viruses intercept this system service to infect program files as the user executes them. Windows NT faithfully provides the same functionality in its DOS boxes and allows viruses to intercept this system service and infect at will.

Windows NT also enables users to launch native Windows applications directly from the DOS box’s command line. Under the NDOS command shell, any Windows (NT/95/3.1) program that is launched from a DOS box’s command line will cause the NDOS command interpreter to generate an “EXECUTE PROGRAM” system service request. Thus, if a memory-resident virus were to hook into the EXECUTE system service, it could potentially infect these Windows programs as they are executed. However, most DOS viruses cannot correctly infect native Windows executable programs. Interestingly, the default command shell (CMD.EXE) that ships with Windows NT doesn’t generate the EXECUTE system service request when Windows executables are launched from a DOS box; thus, memory-resident computer viruses cannot infect native Windows programs launched from a CMD.EXE-based NT DOS box.

Damage by File Viruses Under a Windows NT DOS Box

Windows NT does provide file-level access control, which prevents protected files from becoming modified by DOS-based file viruses. The access control provided by Windows NT is significantly more robust than DOS’s simple read-only attribute and can’t be bypassed by DOS programs. However, if an infected program is run by a system operator with root privileges or the Windows NT system is set up without access control, the virus can modify all files to which the operator has access.

Assuming that the typical Windows NT configuration doesn’t use NT’s security features, viruses have the same potential to damage files as they did on a standard MS-DOS system. Viruses that corrupt program files unintentionally during the infection process can still do so under Windows NT DOS boxes. However, file viruses that attempt to trash the hard drive using direct disk access are thwarted under Windows NT because Windows NT prevents all direct access to hard drives.

Although Windows NT does prevent DOS programs from writing directly to hard drives, it doesn’t prevent DOS programs from writing directly to floppy disks. Thus, multipartite DOS viruses launched from within a DOS box can potentially infect or damage floppy disks. Most multipartite viruses, however, attempt to infect the hard drive’s MBR or boot record to gain control during bootup when launched from an infected DOS program. Because Windows NT prevents these direct disk writes from within a DOS box, these viruses are likely to be neutered.

File Virus Infections Under Windows NT—Outside of a DOS Box

DOS-based file viruses function properly only within a DOS box under Windows NT. Under all other circumstances, these viruses fail to function correctly and are nonviral.

DOS File Viruses Under Windows NT—System Susceptibility during Bootup

DOS-based viruses require the DOS kernel and other real-mode data structures to function. Because NT doesn’t utilize DOS in its operation, these data structures necessarily are absent during Windows NT bootup. Should one of the files responsible for Windows NT bootup become infected with a DOS-based computer virus, Windows NT most likely won’t be able to load properly. The absence of the DOS kernel during bootup probably will cause any infected executable to crash once the virus begins executing.

DOS File Viruses—The Bottom Line

Most DOS file viruses should propagate under Windows NT DOS boxes just as they do on standard DOS systems. The built-in Windows NT file and directory protection prevent infection of protected files; however, the system must be explicitly configured to provide this protection. Unfortunately, many users might not be aware of this protection; others might feel inconvenienced by it and disable the protection.

Under Windows NT, multipartite viruses can no longer infect hard drive boot records or master boot records from within DOS boxes. If the virus relies upon this behavior for propagation, Windows NT’s direct-disk access restrictions will neuter it. However, multipartite file viruses still can infect floppy disk boot records if so inclined, although rarely are they so inclined.

DOS file viruses function only within DOS boxes. Although native Windows NT system files can become infected by direct action viruses that search for files all over the hard drive, the infected system files are most likely to fail to function properly and crash the machine during Windows NT bootup.

If a resident DOS file virus launches from within a DOS box, only files referenced from within the infected DOS box can become infected. Any Windows NT antivirus product that executes outside of a DOS box, such as in a 32-bit Windows application, can safely scan the computer without infecting clean files; memory scanning isn’t necessary to properly detect and repair virus infections.