"Computer virus" is a phrase that strikes fear into the hearts of both computer professionals and end users. What is a virus, and more importantly, how can it affect Windows NT?
To define what a computer virus is, let's start with the definition of a common virus taken from the Oxford American Dictionary: "a very simple organism[el]capable of causing disease." If you extrapolate this to the computer world, you get a good definition of a computer virus: "a very simple piece of software code, written with the intent of causing system malfunctions." This is fairly generalized, but it is an accurate description for our purposes.
Although today there are literally thousands of computer viruses, they have all sprung up in the last few years. It wasn't until the later half of the 1980s that computer viruses began to appear. Many of the first viruses were written as proof of concept, not always with ill intent in mind.
Just as human viruses spread with contact, so do computer viruses. If you want to avoid catching a virus, you could simply hide out in your house and have no interaction with other people. Similarly, if you want to prevent any chance of your computer catching a virus, you can keep it from communicating with other computers by never connecting it to a network and never inserting a floppy disk or CD-ROM. But, quite frankly, that takes most of the use, and all of the fun, out of using a computer. Computer connectivity is becoming an increasingly important medium in our information-based society, and simply disassociating yourself is not a solution.
How do viruses spread? I defined a virus as a simple piece of code that does unwanted and often malicious things. How does this code get into someone's computer? Usually this is accomplished by piggybacking onto another piece of useful, or good, code. For instance, you write a piece of virus code and then attach it to a game. Whenever the game is loaded, you have the viral code look around the hard drive for other programs. The code then copies parts of itself into the start-up routines of these other programs. Now these other programs are infected. Attaching a piece of viral code onto a piece of software that is otherwise attractive is a common method of distribution.
To make matters worse, there are other ways of spreading viruses that many people don't know about. A piece of viral code can be stored anywhere where there are instructions that will be executed by a computer. This includes the boot record of a disk, as well as macro functions, including those in office automation applications such as Microsoft Office.
To set the record straight, Windows NT is not immune to viruses in any way. Too many people have to find this out the hard way before taking action. The misconceptions of NT's alleged virus resistance mostly come from exaggerated tales of NT's Hardware Abstraction Layer (HAL). The HAL prevents software routines from writing directly to hardware, thus making NT resistant to one of the more common techniques used by viruses to assist in their propagation. Also, because NT prevents one 32-bit application from accessing the memory space of another 32-bit application, Windows NT can prevent viruses that spread by loading into memory and then watching for other programs to load.
To many people, that might sound pretty good. The problem is viruses that employ additional schemes in their pursuit of mayhem. Even hinting that NT might in some way be virus-proof gives people the wrong impression. As Windows NT Server and NT Workstation become more prevalent in the marketplace, so will the number of NT-specific viruses.
When you talk about protecting Windows NT Server against viruses, there are actually two distinct roles that need to be addressed: NT as a file server and NT as a workstation.
Most people use Window NT Server in some capacity as a file server. Even systems that also act primarily as applications servers usually play at least a minor role as a file server. Because most viruses infect files and are transmitted by accessing or executing an infected file, one primary duty is to ensure that NT Server is not used as a medium to transmit viruses. It is also important to understand the consequences of viruses passing through NT Server and how it's done. For instance, imagine you are connected to an NT Server from a Windows 95 client and your system gets infected by a virus called X. If the task of virus X is to propagate by infecting all executables on all mounted volumes, it might first infect your local hard disk and then move to volumes mounted from the NT Server. If you have write permission to any executables on the server, such as in a public region, the virus could infect those files. Then when someone else on the network accesses the infected files from the server, their computer could become infected as well. So the virus spreads. In this instance, the NT Server is merely a host to the virus, and the virus cannot harm the NT Server.
However, because Windows NT Server can also be used as a workstation console to execute standard programs, you also have to worry about the possibility of infecting the server from the console. In this instance, you might install a utility on the NT Server console and not realize that the utility has been infected by a virus. Unlike the previous instance, you can actually harm the NT system itself. Additionally, depending on the rights of the user you were logged in as at the time of infection, the virus could infiltrate other files on the server. When a client accesses one of these infected files, it too could become infected. Thus the virus spreads.
For these purposes, I classify viruses into five major types, based on the environment in which they were designed to function. They are MBR viruses, DOS viruses, Windows 3.x viruses, native Windows NT viruses, and macro viruses. In each of the sections, I address how the viruses in that area typically spread, and more importantly, how they could possibly affect Windows NT.
The vast majority of viral infections come from boot sector viruses. These are pieces of viral code that attach themselves to the boot sector of a floppy or hard disk. This boot sector normally contains a small piece of code that is executed when the disk is booted. A boot sector virus typically spreads by attaching a copy of itself onto the boot sector of all currently mounted local disks—such as your hard disk and any floppy disks. Additionally, the boot sector virus keeps a small piece of code resident in memory that is used to infect other disks that are inserted into the computer, thus spreading itself.
The boot sector virus is loaded before any operating system code, and therefore can be considered operating system independent, running on any Intel-compatible system designed for running MS-DOS.
However, there are problems with boot sector viruses and Windows NT. First, when you install Windows NT, it uses its own boot sector code, which differs from the standard DOS code. Most boot sector viruses expect a standard piece of boot code and make assumptions based on this expectation. The problem is when your NT system gets a boot sector virus and you try to boot your system. Depending on the virus, one of two things happens.
If the virus actually makes radical changes to the boot sector (such as encrypting the partition information) when it passes control to Windows NT for the operating system to begin loading, NT loads a virtualized piece of code that continues the boot process. This differs from traditional DOS methods, where the operating system relies on BIOS-level calls, which the virus traps and then passes correct information back to the OS, enabling it to boot. However, because NT doesn't rely on these BIOS-level calls, the virus is cut out of the loop. Because the virus has altered the boot information, usually by encryption, NT is unable to continue the boot process and typically dies with a blue screen error message.
The second kind of boot sector virus is similar to the first, except it does not actually make changes to the boot information. In this case, when NT begins loading, it completely ignores the viral code, because it uses its own virtualized code, thus rendering the virus impotent. Unfortunately, this kind of boot sector virus is less common than the previous.
How can NT get infected by a boot sector virus? Typically, there are two ways to get infected by a boot sector virus. The first is by using an infected disk (usually a floppy disk) that drops the virus onto your system. However, when NT is alive, it cannot be infected in this manner because the infection process actually requires writing directly to the hardware, something that is disabled by NT's Hardware Abstraction Layer (HAL). The second way of spreading a boot sector virus is to boot a system from an infected disk. Unfortunately, this often happens because of a user's mistake. More often than not, a user works with a floppy disk, forgets the disk is in the drive, and restarts the system. If this disk is infected and the system reads the boot code, the virus is replicated onto your local hard drives, thus infecting your system. Because NT is not alive at this point, it cannot protect itself. To help guard against this, you might want to disable booting from floppy disks if your hardware supports such an option.
Although MBR viruses account for the largest number of infections, they don't account for the largest number of viruses. DOS-based viruses actually make up the largest segment of the virus population. You can further split DOS viruses into two categories: those that load a portion of code into memory, where it can continue to infect other programs, and those that perform their functions only when they are executed.
This distinction is made to identify what effects the viruses can have on Windows NT. The first group, which loads a memory-resident piece of code, was very effective under DOS and Windows 3.x. Because all applications shared a common memory space, which was fully accessible, a simple memory-resident virus could simply "hang out" and infect things at its leisure. This was often done by intercepting various DOS calls and manipulating them in some way. However, things work a little differently under Windows NT, so it is important to realize what can happen. Beginning with version 3.5, NT can run 16-bit programs in a shared address space with other 16-bit programs, or in its own 32-bit virtual DOS machine (VDM). By default, all 16-bit applications run together in a shared VDM. This means that a virus that loads itself as a memory-resident program can affect any other 16-bit application that runs in the shared memory space. However, the virus is completely unaware of any 32-bit processes that are also running on the system and is completely unable to interfere with their operation. Additionally, if you run all 16-bit applications in their own memory space, a virus of this type cannot do its job properly.
However, the situation is a little different with the second type of virus. This other kind of virus typically sits attached to a seemingly normal program or utility and spreads itself, or performs unwanted actions, only when you run the utility. These are often referred to as Trojan horse viruses. Although you can have viruses that work in a combination of these two ways, typically virus writers focus on one or the other distribution methods. Very often these viruses perform some sort of direct file manipulation. This takes the form of either corrupting data on the system or replicating its viral code onto other executable files, further spreading the infection. NT is very susceptible to this kind of attack. The main way to limit the impact of this kind of attack is to make sure you never use unknown programs when you are logged on as an administrative user. More importantly, you should limit the kinds of actions you perform at the server's console and limit the access you grant people from the network to the minimum level required. Additionally, you should be sure to install a good virus-scanning program to help watch for these kinds of viruses. See the section, "Commercial Virus Detection Packages," later in this appendix for information on choosing an appropriate virus detection program.
Several viruses out there are targeted for the Windows 3.x environment. Most of these work at least partially, even under Windows NT. This is because NT offers many services that provide down-level compatibility with Windows 3.x. For the most part, these viruses are limited in the same way as the DOS viruses mentioned in the previous section.
Windows 3.x viruses can directly affect only other 16-bit programs running in the same VDM. However, the virus can still alter data, as long as it doesn't try to do so by directly writing to the hardware, and the current user has access permissions to modify the file targeted by the virus.
As of this writing, there are no known viruses that specifically target Windows NT. This could mean either that none have yet been written or that someone has written and released one that was unsuccessful in propagating itself in the outside world.
A virus targeted for Windows NT could take many forms, including a device driver, a dynamic link library (DLL), or a standard executable. Because all these forms contain code segments that get executed, often by the operating system itself, infection through one of these avenues could spread rapidly.
From the server standpoint, it makes sense to set rules and limits as to who can log onto the server's console and what kinds of actions are permitted from the console. Remember, simply denying that NT can become infected does nothing but increase the likelihood that you will become infected.
Macro viruses are the fifth type of virus I discuss here. Until recently, the macro languages included with most applications were not powerful or robust enough to support writing an effective virus. However, many of the more advanced applications that are being developed today include built-in programming capabilities that rival some of the larger development packages. This has recently been demonstrated by the various strains of Microsoft Word viruses, including the so-called Word Concept and Word Nuclear viruses. These viruses transport themselves through Microsoft Word documents. When opened in Word, they perform various actions, including spreading themselves into the user's installation of Word, thus preparing to infect all future documents on the system.
An additional concern is that macro viruses can be cross-platform. The Word Concept virus has the claim to fame of being the first prominent cross-platform virus, because it can infect both Windows and Macintosh systems.
Because most application macro languages support passing execution to an external shell, such as COMMAND.COM or CMD.EXE, the power of the macro virus is not limited to the constraints of the macro language itself.
Using a good anti-virus package is a defense against viruses. However, there is always the possibility that somehow a virus can sneak past your defenses. Following are some ways you can help reduce your risk of infection or help recover your data if your system does get infected by a virus.
One of the best ways to help protect your system against viruses is to implement an effective backup solution. No matter what kind of virus detection software you use, there is always the possibility that a virus could go undetected and you could lose all your data. By incorporating a virus protection strategy into your backup plans, you have a much greater chance of recovering your data if a virus does penetrate your server.
When planning for this contingency in your backup strategy, here are a few points you should note:
For more information about backing up your system, refer to Chapter 23.
If your system is successfully attacked by a Master Boot Record (MBR) virus, NT most likely cannot boot. (For more information about why this is, see the earlier section on MBR viruses.) If your MBR is infected by a virus, you can use an emergency boot disk to get Windows NT up and running. Once NT has begun the boot process, a boot sector virus cannot cause any further damage. I repeat for emphasis: A boot sector virus cannot cause any further damage once NT is booted. This sentence pertains to boot sector viruses only. Other types of viruses can continue to cause further problems, even after NT has booted. Although this gives you the ability to get NT working again, and potentially keep it working until a more convenient time when you can take it down to remove the virus, you should remove the virus as soon as possible! After you have successfully booted NT with the emergency boot disk, you should back up the system before trying to remove the virus.
Please see Chapter 23 for more information on creating an emergency boot floppy disk for Windows NT Server.
Remember that the Emergency Repair Disk contains the most important files that give a unique identity to your NT system. It contains parts of the boot system, as well as key components of the Registry. If your system is attacked by a virus and rendered unable to boot properly, having an up-to-date Emergency Repair Disk is invaluable for getting your system back up and running. Use the RDISK.EXE program to update your Emergency Repair Disk or to create a new one. For more information on creating and using the Emergency Repair Disk, refer to Chapter 23.
Remember, there is a difference between the Emergency Repair Disk and the emergency boot disk referred to in the previous section.
The emergency boot disk contains the key components that enable NT to begin the load process and then hand off control to the appropriate NT installation on your system. It does not contain any of the key registry components that could be useful in reconstructing a corrupted system. This disk is useful if somehow the bootstrap information cannot find a valid NT installation where it expects to.
In contrast, the Emergency Repair Disk is not a bootable disk. To use it, you must boot with the NT installation disk set and choose options to recover your system. This disk is invaluable if your NT installation itself is somehow corrupted.
Using NTFS along with properly implemented security settings can help stop the spread of viruses. NTFS enables you to restrict a user's access to a single file or directory. This restriction is enforced if the file is accessed from the network or if it is accessed locally. However, NT cannot prevent access to FAT or HPFS partitions from the local system.
Additionally, when accessing HPFS and FAT volumes from a remote system, access restrictions can be assigned only for the entire share at a time. If a user needs to write to a single file on the share, the whole share must be created with write permissions for that user. If you use NTFS, you can restrict a user's write access to all the files expect the one he or she needs to be able to write to.
If you want to protect yourself as much as possible from potential Trojan horse viruses, do not use a privileged user account for your day-to-day work. If you execute a Trojan horse virus, the virus has the same level of user privileges as you do. If you have administrative privileges, so does the virus. However, if you are using an unprivileged account, the virus's actions are more limited. For instance, if you were using a privileged account, the virus could potentially create a new user and grant it administrative rights. This account could later be used to further infiltrate your system. If you weren't using a privileged account, the virus could not have performed these actions.
If you must use a privileged user account, never run anything other than the standard administrative utilities or other utilities of known origin that you are sure you can trust!
Warning: It's easy to write a WordBasic or Visual Basic macro that can make changes to the NT user database, so be careful about even opening seemingly innocuous files in Microsoft Word or Excel. To help protect yourself, you might want to use the Word Viewer or disable automatic macro execution in any program that supports macros.
Unfortunately, the future promises more viruses, not less. With the number of computers increasing every day, as well as the increasing penetration of computers into the corporate environment, viruses will become the preferred method of espionage and revenge. More powerful multiplatform development tools, as well as prebuilt virus templates, make it easy for anyone with minimal knowledge to create a computer virus. Additionally, as you automate your computing environment through the use of macros, interactive online environments, and more complex personal agents that make your life easier, you also open yourself to new outside threats.
Unlike MS-DOS and Windows 3.x, Microsoft does not ship Windows NT with any type of anti-virus software. To make matters worse, until recently very few virus packages supported Windows NT. Fortunately, many vendors have come forward to help fill that gap. Today, several virus packages support Windows NT.
Before deciding what anti-virus package you want for your system, you should ask yourself a few questions to make sure you get a package that best fits your needs. When evaluating a virus package for Windows NT, here are some questions you will probably want to ask:
The second function of NT Server is that of a workstation. You want a virus scanner that helps protect you when you log onto the NT Server console. Ideally, it automatically scans any disks you insert for viruses, as well as scanning any programs you run to ensure they are virus-free. Remember what I talked about earlier: If you're logged on as the administrator and run a program, if that program is infected with a virus, the virus is running with administrative privileges!
Following is a list of some of the more common packages on the market with Windows NT support. The level of functionality between the different products varies greatly, so use the questions listed here as a guideline when evaluating these packages for your use.
Vendor: Symantec
Product Name: Norton AntiVirus (NAV) for Windows NT
For more information: http://www.symantec.com
Vendor: McAfee
Product Name: VirusScan for Windows NT
For more information: http://www.McAfee.com
Vendor: S&S International PLC
Product Name: Dr. Solomon's Anti-Virus Kit for Windows NT
For more information: http://www.drsolomon.com
Vendor: Sophos
Product Name: SWEEP
For more information: http://www.sophos.com
Vendor: IBM Corporation
Product Name: IBM AntiVirus
For more information: http://www.brs.ibm.com
Vendor: Data Fellows
Product Name: F-PROT Professional for Windows NT
For more information: http://www.datafellows.com
Vendor: Intel Corporation
Product Name: LANDesk Virus Protect for Windows NT
For more information: http://www.intel.com
Vendor: Carmel Software Engineering
Product Name: Carmel Anti-Virus for Windows NT
For more information: http://fbsolutions.com
