|
|
FAT32
New Problems for Anti-Virus, or Viruses?
(version 1.01)
Martin G. Overton
Email: Martin@arachnophiliac.com
Tel: +44 (0) 1403 241376
51 Cook Road,
Horsham, West Sussex,
RH12 5GJ, United Kingdom.
|
|
Abstract:
The sudden appearance of FAT32 in service pack 2 for Windows '95 has brought some new complications for both viruses and anti-virus software. What's worse is the update is only available to OEMs to ship on new PCs. It's been dubbed Windows '96-and-a-half, as it is just a short stop from Windows '97 (now finally called Windows ’98).
What are the implications of Microsoft's latest addition to the file system format jungle?
Can the existing anti-virus software handle FAT32?
Can the existing boot and partition sector viruses infect FAT32 successfully, and without making the system unbootable or unusable?
Will file-infecting viruses be affected?
This paper aims to deflate the myths, clarify the differences and report the results of testing the above scenarios.
This paper was written for, and presented at the 1997 Virus Bulletin conference
at San Francisco,USA on October 2nd-3rd 1997.
I would welcome any suggestions for improvement, comments on this paper and it’s content.
This paper will be updated from time to time.
(Martin Overton 8th October 1997)
|
|
Introduction
Although this is intended as a technical paper, where possible full and detailed explanations will be given so that any laypersons that may be reading this (hopefully) won’t be too confused. Anyone with a reasonably technical or support background will find the main content of this paper understandable and maybe a little too basic. The virus specific information and test results will be explained as clearly as possible within limited technical parameters of virus nomenclature and related jargon.
As I began to research this paper I was astonished by the lack of testing of Windows 95 with live viruses running under 95. There are plenty of papers and reviews testing Windows 95 scanners against a test set of viruses, but not when active in memory, only as dormant, inanimate images. Only two other papers were found that tested Windows 95 with viruses allowed to go resident and infect the system, and these used a very small set of viruses for testing.
Before jumping straight into the technical results, lets set the scene, as you may not know about the service releases of Windows ’95 and what these bring to the table. So here goes, a potted history...
|
|
What is 95B and OSR 2.x?
Whenever a new operating system is released, inevitably some user somewhere finds a problem, which needs to be fixed. Rather than release a complete new version of the operating system, software providers fix errors through ‘service releases’ also known as ‘service packs’.
Service pack 1, released in January 1996 brought Windows 95 (4.00.950) up to version 95A (4.00.950a). Service pack 2 brings Windows 95 up to 95B (4.00.1111), released to OEMs in August ’96, this is not being made generally available. It cannot (legally) be used to upgrade existing machines, it can however be purchased with a new Hard Drive or Motherboard. It is mostly only being pre-installed on new PCs, although some parts of OSR2 can be downloaded from Microsoft’s web site for free. (http://www.microsoft.com)
Toshiba, Dell, Compaq and IBM are already pre-installing 95B on new PCs, many other manufacturers and resellers are planning to ship 95B on forthcoming models.
Windows 95 OSR2 is a service release (service release 2) of Windows 95. It includes all of Service Pack 1, and all of the later patches and fixes currently available on the Microsoft Web site, as well as Internet Explorer 3 and Personal Web Server. It also includes several components currently not available for download, including a new file system, FAT32. Other bugs, which were present in earlier releasesof Windows 95, are fixed in OSR2. Though some users complain that other things were broken, c’est la vie!
|
|
What is FAT32?
Versions of Windows 95 older than OSR2 (95 and 95A), as well as many DOS versions, use a file system called FAT16 (or FAT12 with DOS 3.30 or earlier versions). The existence of large hard drives has led to large partition sizes, which mean large cluster sizes and wasted space.
To clarify this: Imagine a file that is 600 bytes (characters) in size. On a 1GB FAT16 partition this file would take up not 600 bytes but 16KB (16,384 characters, 1KB =1,024 Characters or ‘Bytes’), wasting over 15KB. On a 1GB FAT32 drive the same file would take up 4KB of space, wasting a lot less space. Below is a table that shows the cluster size used by different sized drives under FAT16 & FAT32.
|
Partition Size (FAT16)
|
Cluster Size
|
Partition Size (FAT32)
|
Cluster Size
|
|
Up to 128Mb
|
2Kb
|
Less than 260MB
|
512 Bytes
|
|
Up to 256Mb
|
4Kb
|
260MB to 2GB
|
4Kb
|
|
Up to 512Mb
|
8Kb
|
8-16GB
|
8Kb
|
|
Up to 1Gb
|
16Kb
|
16-32GB
|
16Kb
|
|
Up to 2Gb
|
32Kb
|
Greater than 32Gb
|
32Kb
|
|
|
|
Although by default, FAT32 will be used on drives over 512MB, it can be forced, though this is not recommended by Microsoft, to work on drives of any size less than 512MB.
To do this you can use FDISK with the /FPRMT switch to enable large disk support (FAT32) on drives smaller than 512MB. Not for non-expert users and don’t expect Microsoft to bail you out it you experience problems. There is also a way to specify the cluster size when the drive is formatted, (FORMAT /z:n)n* 512 bytes=cluster size, e.g. FORMAT C: /z:2 would format the C: drive with 1KB clusters. Be warned though, Microsoft will not support cluster sizes of less than 4KB.
FAT32 supports large drives and partitions (up to 2TB (Terabytes)) whereas FAT16 only supports up to 2GB (Gigabytes). Unfortunately FAT32 formatted drives cannot currently be read or written to by NT, DOS or OS/2 and therefore this is seen as a major headache by support staff. Some major PC manufacturers have taken the stance that installing FAT32 on their system would invalidate the warranty.
If you use FAT32 then you can no longer boot to the previous version of DOS as you could with 95A. You can use third-party boot managers, such as: OS/2 boot manager, NT boot manager, etc. As long as you don’t use FAT32 you will still be able to read and write to the Windows 95B drive from other operating systems.
Other file system improvements include: FAT mirroring, backup of critical areas (such as the DBR), relocatable root directory and dynamic resizing of FAT32 partitions.
|
|
How Do I Tell If I’ve Got 95B (OSR2.x)?
Typing ‘VER‘ at a DOS prompt inside Windows 95 produces the following version number information:
95 release version: Windows 95. [Version 4.00.950] DOS Version:MS-DOS 7.0 95A (OSR1): Windows 95. [Version 4.00.950] DOS Version:MS-DOS 7.0 95B (OSR2): Windows 95. [Version 4.00.1111] DOS Version: MS-DOS 7.1 |
|
How Do I Tell If I’m Running FAT32 On My Drive(s)?
Simply double-click on the ‘My Computer’ icon on the desktop, and then right-click on the relevant drive icon and selecting ‘Properties’ will show the following dialogue box
The Type entry clearly shows that this local disk is FAT32, not FAT16 or FAT12.
If you use FDISK to create a partition of greater than 512MB and you enable large disk support, then the drive will be set to FAT32 by default.
Drives smaller than 512MB or disabling ‘large disk support’ will ensure that FAT16 is used instead.
Running FDISK on a drive larger than 512MB will display the following message if you have OSR2.x installed.
|
Your computer has a disk larger than 512 MB. This version of Windows
includes improved support for large disks, resulting in more efficient
use of disk space on large drives, and allowing disks over 2 GB to be
formatted as a single drive.
IMPORTANT: If you enable large disk support and create any new drives on this
disk, you will not be able to access the new drive(s) using other operating
systems, including some versions of Windows 95 and Windows NT, as well as
earlier versions of Windows and MS-DOS. In addition, disk utilites that
were not designed explicitly for the FAT32 file system will not be able
to work with this disk. If you need to access this disk with other operating
systems or older disk utilities, do not enable large drive support.
Do you wish to enable large disk support (Y/N)...........? [N]
|
|
FDISK can also be used to check to see if your current drive(s) are formatted as FAT12, FAT16 or FAT32. Selecting option 4 from the menu when FDISK is run shows the following:
|
Display Partition Information
Current fixed disk drive: 1
Partition Status Type Volume Label Mbytes System Usage
C: 1 A PRI DOS FAT32_C2 1028 FAT32 50%
2 EXT DOS 1020 50%
Total disk space is 2047 Mbytes (1 Mbyte = 1048576 bytes)
The Extended DOS Partition contains Logical DOS Drives.
Do you want to display the logical drive information (Y/N)......?[Y]
Press Esc to return to FDISK Options
|
|
|
|
Why all this fuss?
It seems that Microsoft have once again caused a large amount of confusion regarding it’s new file system. We only have to look back at the confusion of the average user when HPFS and NTFS were released. Even now many users believe that viruses cannot infect under these file systems. As stated in the 1996 Virus Bulletin conference "Although Windows NT was designed as a secure operating system, this security does not include viruses"[Jones]. This shows that with NT and NTFS that many viruses work fine, others such as macro viruses are hardly inconvenienced unless they try to use API’s or OS specific functions.
Regular lurkers in the Alt.Comp.Virus newsgroup will remember the flurry of posts and threads regarding a certain anti-virus program being criticised for not supporting FAT32. Many came to their defence, such as Vesselin Bontchev, Jimmy Kuo and the incumbent Virus Bulletin editor, Nick Fitzgerald (though at the time he was the Comp.Virus & Virus-L moderator and FAQ maintainer).
Later in this paper I will cover the ‘myths’ some of which were being offered as fact by well-intentioned participants of this newsgroup.
|
|
Myth #1?
Windows 95 is so different that viruses cannot infect it.
Of course in reality, very few people now believe this, though this appears to have been one of the common ‘urban myths’ about Windows 95 and it’s near magical protection[Whalley]. The reason for the myth is understandable as Microsoft’s own marketroids, insisted that Windows 95 was ‘All New’.
It is perfectly clear that although Windows 95 brings some new challenges to the virus writer, many DOS viruses (including MBR and DBR viruses) work adequately under Windows 95 and FAT32. In fact macro viruses are the group of viruses least troubled and inconvenienced by FAT32. Only those that use API’s and other operating system specific calls are likely to fail.
Microsoft’s claim that Windows 95 was ‘All New’ was to say the least misleading. Bearing in mind that Microsoft tried extremely hard to support the vast majority of legacy Windows 3.x and DOS applications, and to be fair to a great extent they succeeded, but at what cost?
Windows 95 still runs on DOS, it’s DOS 7.0, but it’s still DOS with many of its legacy faults that the virus writers can use to their benefit and to your detriment.
|
|
Effects on Anti-Virus software?
|
Anti-virus product
|
DBR infector removal
|
MBR infector removal
|
Comments
|
|
Mcafee 3.0.3
|
Y
|
Y
|
FAT32 Support
Ghost positive when trying to remove MBR infector!
|
|
Dr. Solomons 7.72
|
Y
|
Y
|
The Magic Bullet natively supports Fat32.
|
|
F-Prot 2.27
|
N
|
Y
|
Error reading DBR message on infected FAT32 DBR.
|
|
Thunderbyte 8.02
|
N
|
N
|
Access denied when accessing infected FAT32 DBR or MBR.
|
|
Symantec anti-virus (NAV 3.0)
|
Y
|
Y
|
Invalid media type reading drive C
Abort, Retry, Fail.
Only continues and remove DBR infector if FAIL selected.
Ghost positive when trying to remove MBR infector! FAT32 Support.
|
|
AVP 3.0
|
N
|
Y
|
DBR detected but not removed.
|
|
Sophos Sweep 3.00
|
N
|
N
|
Bad Logical Sector C:|0 message when trying to remove DBR infector.
Detected MBR infector but would not disinfect.
|
|
VET 9.44
|
Y
|
Y
|
Native FAT32 Support. No problems encountered.
|
|
|
|
Effects of Boot Sector [DBR] viruses?
Putting the Boot in
Boot sector [DBR] viruses infect the computer when an infected floppy diskette is attempted to be booted from (assuming that the CMOS boot sequence is the standard A: then C:. If it’s set to C: then A: then standard DBR (and MBR) viruses (excluding droppers) don’t stand a chance[Overton]). The virus in the infected diskette boot sector will try to go resident and infect the DBR of the hard disk. If successful, and the virus can operate correctly on the host operating system then the virus will try to infect any diskette that is not write protected accessed in the floppy drives of the system.
|
|
FAT16 DBR Viruses vs. FAT32
It is not surprising that this group of viruses has the most profound impact on FAT32 partitions, as the Dos Boot Record has been radically changed. "The boot record on FAT32 drives is greater than 1 sector. In addition, there is a sector in the reserved area on FAT32 drives that contains values for the count of free clusters and the cluster number of the most recently allocated cluster"[MS].
To date (July 97) no FAT32 specific DBR infectors exist. This is not to say that they won’t be created, as virus writers seem to fight to be the first to infect new operating systems or to use new techniques. I predict that we will see a FAT32 specific or FAT16/FAT32 DBR infector before the end of this year, if not sooner. It is only a matter of time after that happens before the first multi-partile virus that can infect the FAT32 DBR will be released.
|
|
Infected DBR or MBR? Confused? You Will Be!
When Windows 95 is infected by a DBR or MBR infector, and is first booted, in most cases the following dialogue box is displayed.
Fig 1
Bear in mind that this is only displayed the first time after the original infection. This dialogue box is a step in the right direction for Microsoft, as it actually mentions the word ‘Virus’. This may encourage an infected user to actually use some anti-virus software to check their system for viruses, or maybe not.
The confusing part of this story is that if the DBR is infected this message is also displayed. I would have expected Microsoft to know the difference between a DBR and an MBR, obviously this is not the case!
Many users would simply ignore this message and carry on regardless.
If you select the Yes button on this dialogue box you will see the following detailed dialogue box.
Fig 2
As you can clearly see this informs you that your system is using the MS-DOS compatibility mode for both the File System and Virtual Memory.
It also offers the following information, which the user should be more than a little curious to read, especially as it states:
‘Compatibility mode paging reduces overall system performance’
and
‘Master Boot Record modified --SEE IMPORTANT DETAILS.’
On most systems that are properly configured and not infected by one of the many MBR or DBR viruses, the following dialogue box would be shown instead.
Fig 3
This dialogue box clearly shows that 32-bit access to Virtual Memory and the File System is being used.
It has been said many times that Microsoft looks toward functionality first, security has always been the poor relation and it seems that it is almost an after thought, some of you may feel that I am understating this point.
Microsoft has been of recently talking to many of the anti-virus industries largest players to form a working party on Macro virus issues with Microsoft products. I look forward to the outcome from this undertaking. Unfortunately (for the end user) I predict any expectations will fall short, and the anti-virus industry will be required to charge to the rescue again to thwart the virus foe.
|
|
Myth #2?
DBR viruses cannot be removed from FAT32 partitions by non-FAT32 compatible anti-virus software.
Currently there are no FAT32 specific viruses, not to say that they will not be created in the future. Non-FAT32 compatible scanners appear to be unable to successfully remove the current FAT16 DBR viruses.
My findings with the DBR infectors and scanners tested for this paper appear to validate this supposed myth!. Disconcertingly, my results with genuine infections appear to be the completely opposite to some postings by notable researchers on the Alt.Comp.Virus newsgroup.
Is the truth out there?
|
|
Test Results
Swiss-Boot.A resisted all attempts to remove it by anti-virus software. It had to be manually removed using SYS C: after booting from a clean boot disk and locking the C: drive with the LOCK C: command.
FORM.A was also resistant to removal, only being successfully removed using Dr. Solomon’s Magic bullet, McAfee 3.0.3 and Vet 9.44, which are all FAT32 aware.
Although some researchers insist that DBR infectors can be removed from FAT32 drives by FAT16 compatible scanners, my tests seem to indicate the opposite. This obviously needs more investigation.
|
Virus [3]
|
Infected OK?
|
Detected by ’95?
|
Clean Boot?
|
Removal?
|
Comments
|
|
Boot-437
|
Y
|
Asks for COMMAND.COM
|
Y
|
Y
|
Only removed by Dr. Solomon’s Magic Bullet, which is FAT32 compatible.
Still infected other floppies.
|
|
Form.A
|
Y
|
Asks for COMMAND.COM
|
Y
Invalid Media
|
Y
|
Only removed by Dr. Solomon’s Magic Bullet, which is FAT32 compatible.
Still infected other floppies.
|
|
Swiss-Boot.A
|
Y
|
While initializing VBACKUP could not load VFD.VXD
Hang
|
Y
|
Y
|
Any attempt to SYS or remove this virus after a clean boot resulted in a message indicating that the drive was locked.
Clean booting and using the LOCK C: command and then running SYS C: cleared the virus correctly.
Dr. Solomon’s Magic Bullet, reported that the drive was write protected.
|
|
|
|
Effects of Partition Sector [MBR] viruses?
Myth #3
MBR viruses cannot be removed from FAT32 partitions by non-FAT32 compatible anti-virus software.
This, you might think after Myth#2, and you’d be excused for thinking this, would be correct. Luckily for most MBR infectors this is not the case. In testing all the MBR viruses were successfully removed, without incident. Why is this the case, when DBR viruses refused to give up without a struggle?
The simple answer is that the MBR under FAT32 is practically the same as under DOS 6.0. Therefore, currently non-FAT32 compatible scanners can (in almost all cases) safely remove MBR viruses from FAT32 drives.
Test Results
This was an interesting group of viruses, especially as all of them were unable to infect floppy disks from within the Windows 95 GUI or DOS boxes run within it. (While I was completing this paper, a new MBR infector was reported that could infect from within the Windows 95 GUI, the virus is known as Dodgy or Ravage[Dr. Sol]). The greatest surprise was how badly some of the MBR viruses fared when trying to infect in ‘MS-DOS Compatibility Mode’ and/or the ‘Command Prompt Only’ boot option mode.
STOP PRESS: Dodgy has been tested and the results added to the table below. This MBR infector can infect floppy disks in all the test modes. It does this by deleting the HSFLOP.PDR file from the WINDOWS\SYSTEM\IOSUBSYS directory. This simply removes the 32-bit floppy driver support, so that next time Windows ‘95 starts, the floppy drive is accessed using standard DOS BIOS routines instead. This type of attack is not new; the Hare family of viruses used this method too. Although in the tests carried out for this paper all Hare samples tested failed to go resident and infect the MBR or any files.
One thing to bear in mind, just because an MBR infector can’t spread does not mean it is not a threat. Take Kampana as an example, even though it failed to replicate in testing, confirmed by at least one third party[Emm] , it’s payload will almost certainly still trigger (after 400 reboots, it overwrites the hard disk with garbage, then displays its message). Others that refused to spread include: AntiCMOS.A, Jumper.A, Stoned.Standard.A and V-Sign.A.
Some of the test group offered ‘General Failure Reading Drive A:’ messages, these were: Michelangelo, ExeBug.C and Stoned.16.
Quox refused to allow Windows 95 to boot, and would only infect floppy disks entered during the ‘Diskette Read Failure’ message, which could not be bypassed.
Those that performed best, infecting on both 3 & 4, were: AntiEXE.A, Leandro, ParityBoot.B, Ripper, Sampo, Stoned.Azuza, Stoned.Angelina, W-Boot.A and Welcomb.
There were a number of MBR infectors that would only infect under condition 4, these include: Monkey.B, NYB, and Stealth_Boot.C.
All of those that successfully infected the MBR and went resident, apart from Jumper.A caused Windows 95 to report that the MBR had been changed (Fig 1), which dropped Windows 95 file and memory system mode from 32-bit (Fig 3) into MS-DOS Compatibility mode (Fig 2). Interestingly, even though the hard drive is in MS-DOS mode, the floppy driver is still running in 32 Bit mode[CN](that is why the floppy disks are not infected within the GUI by the viruses tested even though they infected the hard drives MBR and are resident).
Why did all of the viruses that infected the MBR and went resident except Jumper.A have Windows 95 detect the change? The answer isn’t all that mystical, simply all other tested MBR infectors hook Int 13h and Windows 95 actually monitors the Int 13h vector code for modifications (not the actual MBR or DBR) as this will affect its ability to drive the hardware directly. Not surprisingly most MBR infectors will do just that. Jumper.A on the other hand hooks not Int 13h but Int 21h instead, this means that Windows 95 can’t see the change and therefore the warning messages are not shown.
Filler.A ,Chinese-Fish and both Hare samples refused to even go resident, let alone infect the test systems MBR.
On a clean boot all was fine except as expected for Monkey.B (as it encrypts the MBR), and ExeBug.C (Invalid drive specification when accessing drive C:). Even given these errors, the viruses were still correctly and easily removed, even with non-FAT32 specific scanners.
A number of the test set hung after infecting the hard drive, instead of giving the more usual ‘Invalid system disk Replace the disk, and press any key’ or ‘Non-system disk or disk error Replace and strike any key when ready’messages. This simply needed the system to be rebooted for Windows 95 to load as normal, except for the warning messages (Fig1 and Fig3). The viruse exhibiting this phenomenen were: AntiCMOS.A, Leandro, Parity_Boot.B and Stoned.16.
The really interesting results are when these test results are compared to tests conducted by Ian Whalley[Whalley]. All the MBR and DBR viruses he tested replicated under FAT16 [4.00.950]. The viruses he tested were: AntiCMOS, AntiEXE, Monkey.B, Form, Jumper.B, NYB, ParityBoot.B, Quandry, Sampo, Stoned.Angelina and V-Sign.
Yet in another test conducted [VB2],Jumper failed to infect other floppies as found in the tests carried out for this paper. On the other hand Kampana and V-Sign apparently did replicate in the same test conducted by Virus Bulletin, but failed to when tested for this paper!
But if we look closer these tests[VB2] were done on a pre-release version of Windows 95 [4.00.347] and this may go some way to explain the anomolies found in this and other tests by Ian Whalley [4.00.950][Whalley] and David Emm [4.00.950][Emm] when compared with later versions of Windows 95 tested for this paper [4.00.1111].
As you can see the results are somewhat different. Are the different results due to FAT32 and or other changes in OSR 2.x, or something else? I feel that more testing is required to get the diffinitive answer, and unfortunately this is beyond the scope of this paper.
|
Virus [31]
|
Infected OK?
|
Detected by ’95?
|
Clean Boot?
|
Removal?
|
Comments
|
|
AntiCMOS.A
|
Y
Hang
|
Y
|
Y
|
Y
|
Won’t infect another floppy at all
|
|
AntiEXE.A
|
Y
|
Y
|
Y
|
Y
|
Infects on 3 & 4
|
|
Chinese Fish
|
N
|
|
|
|
Hang
|
|
Dodgy (Ravage)
|
Y
|
Y
|
Y
|
Y
|
1 & 2 Only on next restart, deletes HSFLOP.PDR, 3 & 4 straight after infection.
|
|
ExeBug.C
|
Y
|
Y
|
Y
Invalid drive specification when accessing drive C:
|
|
Removed A: drive entry from CMOS.
Infects on 3 only, General failure reading drive A on 4
|
|
Filler.A
|
N
|
|
|
|
Won’t infect MBR or go resident.
|
|
Hare.7610
|
N
|
|
|
|
Won’t infect MBR or go resident.
|
|
Hare.7786
|
N
Hang
|
|
|
|
Won’t infect MBR or go resident.
|
|
Jumper.A
|
Y
|
N
|
Y
|
Y
|
Won’t infect another floppy at all
|
|
Kampana.A
|
Y
|
Y
|
Y
|
Y
|
Won’t infect another floppy at all
|
|
Leandro
|
Y
Hang
|
Y
|
Y
|
Y
|
Infects on 3 & 4
|
|
Michelangelo
|
Y
| | | | |