|
|
| Previous | Table of Contents | Next |
Most of the native Windows 3.1 viruses function under Windows NT as they do under Windows 3.1.
At least one Windows 3.1 virus uses DOS Protected Mode Interface (DPMI) to hook into the standard Windows system services and establish itself as a memory-resident Windows TSR. The Ph33r virus hooks into the Windows 3.1 “EXECUTE PROGRAM” system service and is notified every time the user or another Windows 3.1 process executes a program. Upon notification, the Ph33r virus can infect the Windows 3.1 executable file before it executes.
Viruses that hook into these services also function under Windows NT as they do under Windows 3.1. However, under Windows NT, the Windows 3.1 TSR virus previously described will only be notified about the execution of standard Windows 3.1 executables. For instance, if a user launches a native 32-bit Windows NT/95 application, the Windows 3.1 subsystem under Windows NT (and any Windows 3.1 TSRs hooked into its system services) won’t be made aware of the 32-bit program’s execution. Consequently, only Windows 3.1 executables executed on the Windows NT system are susceptible to infection by Windows 3.1 viruses.
Furthermore, Windows NT enables the user to specify whether each Windows 3.1 application is launched in a common memory area or in its own separate memory area. This functionality was provided so that users could prevent Windows 3.1 applications from interfering with each other. If the user loads an infected Windows 3.1 application in its own memory area, then the resident virus won’t receive notification of system service requests from other Windows 3.1 applications.
All macro viruses written for applications that run on Windows 3.1 or Windows 95 function identically under Windows NT, as long as the host application works correctly under Windows NT. For example, because Word for Windows version 6.0+ works both on Windows 95 and Windows NT, the Concept virus works correctly under both platforms as well. The file-level protection provided by Windows NT can be used to prevent unauthorized use of documents (limiting potential infection); however, these macro viruses still can spread through electronic mail or publicly accessible files. It seems likely, then, that macro viruses will continue to propagate under Windows NT systems. Given the necessity of information-sharing in the enterprise environment, the macro viruses could well surpass their DOS cousins as the most common viral threat.
Windows NT presents a much greater challenge for virus writers. First, the basic Windows NT operating system requires at least 12 MB of conventional RAM, a high-speed microprocessor and tens of megabytes of hard drive space. Most machines sold today are not powerful enough to provide a bare-bones Windows NT setup for software development. In other words, the average virus writer might not be able to afford the appropriate hardware to develop native Windows NT viruses.
In addition to the Windows NT hardware requirements, the native Windows NT/95 executable file formats also are more complex than those found in DOS. Windows 3.1 also employs similar executable file formats, which may account for the lower number of native Windows viruses. Furthermore, far less documentation is available on these file formats, requiring virus writers to spend time reverse engineering their file structure.
Finally, the Windows 3.1 architecture permitted Windows applications to directly call standard DOS system services just as if they were DOS applications. This permitted virus writers who had only a superficial understanding of the Windows 3.1 operating system to create viruses using standard DOS-based virus algorithms. The Windows NT and Windows 95 operating systems don’t allow 32-bit applications to use the DOS system services, although Windows 3.1 programs running in these environments are allowed to use these services. Therefore, virus writers will have to gain a fairly detailed understanding of the Windows 32-bit API to create native Windows NT/95 viruses. This probably will reduce the number of native Windows NT/95 viruses encountered short-term. However, as more detailed documentation is published in popular books and magazines, the numbers of native Windows viruses undoubtedly will increase.
This chapter has covered, in some detail, many of the concepts and methods that virus developers use to allow their creations to replicate and execute. You have also learned how different antivirus tools attempt to protect your computing environment.
But perhaps the greatest tool available to you as an administrator is education. In this chapter, you have learned about the basic requirements a virus has in order to replicate and thrive. Current information can be found on several Internet web sites, run by both vendors and other organizations, and it may be worth your time to browse some of these sites on a regular basis.
Finally, remember that user education makes computing safer for everyone. Be sure your users know what to do or who to call if they suspect an infection may have occurred.
| Previous | Table of Contents | Next |