Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Windows 95 and Viruses

Alan Solomon

1
[Back to index] [Comments]

Shortly after Windows 95 was released, we carried out a series of tests designed to see what effect boot sector viruses and DOS executable file viruses would have on the [new] operating system.

More recently [December 1997], we looked again at the impact of boot sector viruses on Windows 95, with quite different results. These tests were carried out on a PC running Windows 95B, using a 32-bit FAT [File Allocation Table].

The PC was first infected with Parity.b. When the PC was re-booted normally, Windows 95 indicated that the hard disk may be infected [displaying the message, 'Your PC may have a virus. The Master Boot Record has been modified.'] and reported that the system was using 'MS-DOS compatibility mode' [rather than its native 32-bit file system]. The virus was memory resident [this was confirmed using FindVirus], but failed to infect a floppy disk accessed in the PC [via a DOS command session or using Windows Explorer].

The results were the same when the PC was infected with Michelangelo.

When the PC was infected with Exebug.d, the PC crashed on boot-up [this happened also on a PC running MS-DOS]. When the PC was re-booted normally, Windows 95 indicated that the hard disk may be infected [displaying the message, 'Your PC may have a virus. The Master Boot Record has been modified.'] and reported that the system was using 'MS-DOS compatibility mode' [rather than its native 32-bit file system]. The virus was memory resident [this was confirmed using FindVirus], but failed to infect a floppy disk accessed in the PC [via a DOS command session or using Windows Explorer]. After removing the virus, Windows 95 loaded in safe mode; but loaded normally after a subsequent re-boot.

Jumper virus produced different results. When the infected PC was re-booted normally, there was no warning that the MBR may be infected. Moreover, 32-bit file access was unaffected. [This is not surprising. Unlike most boot sector viruses, Jumper does not hook interrupt 13; and so does not affect 32-bit file access.] Other than this, the effects were the same. The virus was memory resident [this was confirmed using FindVirus], but failed to infect a floppy disk accessed in the PC [via a DOS command session or using Windows Explorer].

When the PC was infected with Form virus, the PC failed to boot [displaying the message, 'Type the name of the Command Interpreter (e.g. C:\WIN\COMMAND.COM)']. When the PC was booted with a system disk, the hard disk was inaccessible ['Invalid media type reading drive C']. This is not surprising. Form infects the boot sector of hard disks. However, the boot sector [which occupies three sectors] has changed since the introduction of a 32-bit FAT. The PC booted normally after the virus had been removed.

The PC crashed on boot-up after infection with Dodgy virus. When the PC was re-booted normally, there was no warning that the MBR may be infected. However, the system reported that 'Some drives are using MS-DOS compatibility'. Unlike the other viruses used in the tests, Dodgy successfully infected floppy disks [via a DOS command session or using Windows Explorer]. The reason for this is that Dodgy deletes the file C:\WINDOWS\SYSTEM\IOSUBSYS\HSFLOP.PDR, the file responsible for Windows 95's direct file access.

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua