FAT32

New Problems for Anti-Virus, or Viruses?

(version 1.01)

Martin G. Overton

ChekWARE

Virus Researcher and Author of ChekMate.

Email: ChekWARE@Cavalry.com

Tel: +44 (0) 1403 241376
+44 (0) 1403 232937

51 Cook Road,
Horsham, West Sussex,
RH12 5GJ, United Kingdom.

The sudden appearance of FAT32 in service pack 2 for Windows '95 has brought some new complications for both viruses and anti-virus software. What's worse is the update is only available to OEMs to ship on new PCs. It's been dubbed Windows '96-and-a-half, as it is just a short stop from Windows '97 (now finally called Windows ’98).

What are the implications of Microsoft's latest addition to the file system format jungle?

Can the existing anti-virus software handle FAT32?

Can the existing boot and partition sector viruses infect FAT32 successfully, and without making the system unbootable or unusable?

Will file-infecting viruses be affected?

This paper aims to deflate the myths, clarify the differences and report the results of testing the above scenarios.

This paper was written for, and presented at the 1997 Virus Bulletin conference
at San Francisco,USA on October 2nd-3rd 1997.

I would welcome any suggestions for improvement, comments on this paper and it’s content.

This paper will be updated from time to time.

(Martin Overton 8th October 1997)

Introduction

Although this is intended as a technical paper, where possible full and detailed explanations will be given so that any laypersons that may be reading this (hopefully) won’t be too confused. Anyone with a reasonably technical or support background will find the main content of this paper understandable and maybe a little too basic. The virus specific information and test results will be explained as clearly as possible within limited technical parameters of virus nomenclature and related jargon.

As I began to research this paper I was astonished by the lack of testing of Windows 95 with live viruses running under 95. There are plenty of papers and reviews testing Windows 95 scanners against a test set of viruses, but not when active in memory, only as dormant, inanimate images. Only two other papers were found that tested Windows 95 with viruses allowed to go resident and infect the system, and these used a very small set of viruses for testing.

Before jumping straight into the technical results, lets set the scene, as you may not know about the service releases of Windows ’95 and what these bring to the table. So here goes, a potted history...

What is 95B and OSR 2.x?

Whenever a new operating system is released, inevitably some user somewhere finds a problem, which needs to be fixed. Rather than release a complete new version of the operating system, software providers fix errors through ‘service releases’ also known as ‘service packs’.

Service pack 1, released in January 1996 brought Windows 95 (4.00.950) up to version 95A (4.00.950a). Service pack 2 brings Windows 95 up to 95B (4.00.1111), released to OEMs in August ’96, this is not being made generally available. It cannot (legally) be used to upgrade existing machines, it can however be purchased with a new Hard Drive or Motherboard. It is mostly only being pre-installed on new PCs, although some parts of OSR2 can be downloaded from Microsoft’s web site for free. (http://www.microsoft.com)

Toshiba, Dell, Compaq and IBM are already pre-installing 95B on new PCs, many other manufacturers and resellers are planning to ship 95B on forthcoming models.

Windows 95 OSR2 is a service release (service release 2) of Windows 95. It includes all of Service Pack 1, and all of the later patches and fixes currently available on the Microsoft Web site, as well as Internet Explorer 3 and Personal Web Server. It also includes several components currently not available for download, including a new file system, FAT32. Other bugs, which were present in earlier releases of Windows 95, are fixed in OSR2. Though some users complain that other things were broken, c’est la vie!

What is FAT32?

Versions of Windows 95 older than OSR2 (95 and 95A), as well as many DOS versions, use a file system called FAT16 (or FAT12 with DOS 3.30 or earlier versions). The existence of large hard drives has led to large partition sizes, which mean large cluster sizes and wasted space.

To clarify this: Imagine a file that is 600 bytes (characters) in size. On a 1GB FAT16 partition this file would take up not 600 bytes but 16KB (16,384 characters, 1KB =1,024 Characters or ‘Bytes’), wasting over 15KB. On a 1GB FAT32 drive the same file would take up 4KB of space, wasting a lot less space. Below is a table that shows the cluster size used by different sized drives under FAT16 & FAT32.

Although by default, FAT32 will be used on drives over 512MB, it can be forced, though this is not recommended by Microsoft, to work on drives of any size less than 512MB.

To do this you can use FDISK with the /FPRMT switch to enable large disk support (FAT32) on drives smaller than 512MB. Not for non-expert users and don’t expect Microsoft to bail you out it you experience problems. There is also a way to specify the cluster size when the drive is formatted, (FORMAT /z:n) n* 512 bytes=cluster size, e.g. FORMAT C: /z:2 would format the C: drive with 1KB clusters. Be warned though, Microsoft will not support cluster sizes of less than 4KB.

FAT32 supports large drives and partitions (up to 2TB (Terabytes)) whereas FAT16 only supports up to 2GB (Gigabytes). Unfortunately FAT32 formatted drives cannot currently be read or written to by NT, DOS or OS/2 and therefore this is seen as a major headache by support staff. Some major PC manufacturers have taken the stance that installing FAT32 on their system would invalidate the warranty.

If you use FAT32 then you can no longer boot to the previous version of DOS as you could with 95A. You can use third-party boot managers, such as: OS/2 boot manager, NT boot manager, etc. As long as you don’t use FAT32 you will still be able to read and write to the Windows 95B drive from other operating systems.

Other file system improvements include: FAT mirroring, backup of critical areas (such as the DBR), relocatable root directory and dynamic resizing of FAT32 partitions.

How Do I Tell If I’ve Got 95B (OSR2.x)?

Typing ‘VER‘ at a DOS prompt inside Windows 95 produces the following version number information:

95 release version: Windows 95. [Version 4.00.950]

DOS Version: MS-DOS 7.0

95A (OSR1): Windows 95. [Version 4.00.950]

DOS Version: MS-DOS 7.0

95B (OSR2): Windows 95. [Version 4.00.1111]

DOS Version: MS-DOS 7.1

How Do I Tell If I’m Running FAT32 On My Drive(s)?

Simply double-click on the ‘My Computer’ icon on the desktop, and then right-click on the relevant drive icon and selecting ‘Properties’ will show the following dialogue box

The Type entry clearly shows that this local disk is FAT32, not FAT16 or FAT12.

If you use FDISK to create a partition of greater than 512MB and you enable large disk support, then the drive will be set to FAT32 by default.

Drives smaller than 512MB or disabling ‘large disk support’ will ensure that FAT16 is used instead.

Running FDISK on a drive larger than 512MB will display the following message if you have OSR2.x installed.

FDISK can also be used to check to see if your current drive(s) are formatted as FAT12, FAT16 or FAT32. Selecting option 4 from the menu when FDISK is run shows the following:

Why all this fuss?

It seems that Microsoft have once again caused a large amount of confusion regarding it’s new file system. We only have to look back at the confusion of the average user when HPFS and NTFS were released. Even now many users believe that viruses cannot infect under these file systems. As stated in the 1996 Virus Bulletin conference "Although Windows NT was designed as a secure operating system, this security does not include viruses"^[Jones]. This shows that with NT and NTFS that many viruses work fine, others such as macro viruses are hardly inconvenienced unless they try to use API’s or OS specific functions.

Regular lurkers in the Alt.Comp.Virus newsgroup will remember the flurry of posts and threads regarding a certain anti-virus program being criticised for not supporting FAT32. Many came to their defence, such as Vesselin Bontchev, Jimmy Kuo and the incumbent Virus Bulletin editor, Nick Fitzgerald (though at the time he was the Comp.Virus & Virus-L moderator and FAQ maintainer).

Later in this paper I will cover the ‘myths’ some of which were being offered as fact by well-intentioned participants of this newsgroup.

Myth #1?

Windows 95 is so different that viruses cannot infect it.

Of course in reality, very few people now believe this, though this appears to have been one of the common ‘urban myths’ about Windows 95 and it’s near magical protection^[Whalley]. The reason for the myth is understandable as Microsoft’s own marketroids, insisted that Windows 95 was ‘All New’.

It is perfectly clear that although Windows 95 brings some new challenges to the virus writer, many DOS viruses (including MBR and DBR viruses) work adequately under Windows 95 and FAT32. In fact macro viruses are the group of viruses least troubled and inconvenienced by FAT32. Only those that use API’s and other operating system specific calls are likely to fail.

Microsoft’s claim that Windows 95 was ‘All New’ was to say the least misleading. Bearing in mind that Microsoft tried extremely hard to support the vast majority of legacy Windows 3.x and DOS applications, and to be fair to a great extent they succeeded, but at what cost?

Windows 95 still runs on DOS, it’s DOS 7.0, but it’s still DOS with many of its legacy faults that the virus writers can use to their benefit and to your detriment.

Effects on Anti-Virus software?

Effects of Boot Sector [DBR] viruses?

Putting the Boot in

Boot sector [DBR] viruses infect the computer when an infected floppy diskette is attempted to be booted from (assuming that the CMOS boot sequence is the standard A: then C:. If it’s set to C: then A: then standard DBR (and MBR) viruses (excluding droppers) don’t stand a chance^[Overton]). The virus in the infected diskette boot sector will try to go resident and infect the DBR of the hard disk. If successful, and the virus can operate correctly on the host operating system then the virus will try to infect any diskette that is not write protected accessed in the floppy drives of the system.

FAT16 DBR Viruses vs. FAT32

It is not surprising that this group of viruses has the most profound impact on FAT32 partitions, as the Dos Boot Record has been radically changed. "The boot record on FAT32 drives is greater than 1 sector. In addition, there is a sector in the reserved area on FAT32 drives that contains values for the count of free clusters and the cluster number of the most recently allocated cluster"^[MS].

To date (July 97) no FAT32 specific DBR infectors exist. This is not to say that they won’t be created, as virus writers seem to fight to be the first to infect new operating systems or to use new techniques. I predict that we will see a FAT32 specific or FAT16/FAT32 DBR infector before the end of this year, if not sooner. It is only a matter of time after that happens before the first multi-partile virus that can infect the FAT32 DBR will be released.

Infected DBR or MBR? Confused? You Will Be!

When Windows 95 is infected by a DBR or MBR infector, and is first booted, in most cases the following dialogue box is displayed.

Fig 1

Bear in mind that this is only displayed the first time after the original infection. This dialogue box is a step in the right direction for Microsoft, as it actually mentions the word ‘Virus’. This may encourage an infected user to actually use some anti-virus software to check their system for viruses, or maybe not.

The confusing part of this story is that if the DBR is infected this message is also displayed. I would have expected Microsoft to know the difference between a DBR and an MBR, obviously this is not the case!

Many users would simply ignore this message and carry on regardless.

If you select the Yes button on this dialogue box you will see the following detailed dialogue box.

Fig 2

As you can clearly see this informs you that your system is using the MS-DOS compatibility mode for both the File System and Virtual Memory.

It also offers the following information, which the user should be more than a little curious to read, especially as it states:

‘Compatibility mode paging reduces overall system performance’

and

‘Master Boot Record modified --SEE IMPORTANT DETAILS.’

On most systems that are properly configured and not infected by one of the many MBR or DBR viruses, the following dialogue box would be shown instead.

Fig 3

This dialogue box clearly shows that 32-bit access to Virtual Memory and the File System is being used.

It has been said many times that Microsoft looks toward functionality first, security has always been the poor relation and it seems that it is almost an after thought, some of you may feel that I am understating this point.

Microsoft has been of recently talking to many of the anti-virus industries largest players to form a working party on Macro virus issues with Microsoft products. I look forward to the outcome from this undertaking. Unfortunately (for the end user) I predict any expectations will fall short, and the anti-virus industry will be required to charge to the rescue again to thwart the virus foe.

Myth #2?

DBR viruses cannot be removed from FAT32 partitions by non-FAT32 compatible anti-virus software.

Currently there are no FAT32 specific viruses, not to say that they will not be created in the future. Non-FAT32 compatible scanners appear to be unable to successfully remove the current FAT16 DBR viruses.

My findings with the DBR infectors and scanners tested for this paper appear to validate this supposed myth!. Disconcertingly, my results with genuine infections appear to be the completely opposite to some postings by notable researchers on the Alt.Comp.Virus newsgroup.

Is the truth out there?

Test Results

Swiss-Boot.A resisted all attempts to remove it by anti-virus software. It had to be manually removed using SYS C: after booting from a clean boot disk and locking the C: drive with the LOCK C: command.

FORM.A was also resistant to removal, only being successfully removed using Dr. Solomon’s Magic bullet, McAfee 3.0.3 and Vet 9.44, which are all FAT32 aware.

Although some researchers insist that DBR infectors can be removed from FAT32 drives by FAT16 compatible scanners, my tests seem to indicate the opposite. This obviously needs more investigation.

Effects of Partition Sector [MBR] viruses?

Myth #3

MBR viruses cannot be removed from FAT32 partitions by non-FAT32 compatible anti-virus software.

This, you might think after Myth#2, and you’d be excused for thinking this, would be correct. Luckily for most MBR infectors this is not the case. In testing all the MBR viruses were successfully removed, without incident. Why is this the case, when DBR viruses refused to give up without a struggle?

The simple answer is that the MBR under FAT32 is practically the same as under DOS 6.0. Therefore, currently non-FAT32 compatible scanners can (in almost all cases) safely remove MBR viruses from FAT32 drives.

Test Results

This was an interesting group of viruses, especially as all of them were unable to infect floppy disks from within the Windows 95 GUI or DOS boxes run within it. (While I was completing this paper, a new MBR infector was reported that could infect from within the Windows 95 GUI, the virus is known as Dodgy or Ravage^{[Dr. Sol]}). The greatest surprise was how badly some of the MBR viruses fared when trying to infect in ‘MS-DOS Compatibility Mode’ and/or the ‘Command Prompt Only’ boot option mode.

STOP PRESS: Dodgy has been tested and the results added to the table below. This MBR infector can infect floppy disks in all the test modes. It does this by deleting the HSFLOP.PDR file from the WINDOWS\SYSTEM\IOSUBSYS directory. This simply removes the 32-bit floppy driver support, so that next time Windows ‘95 starts, the floppy drive is accessed using standard DOS BIOS routines instead. This type of attack is not new; the Hare family of viruses used this method too. Although in the tests carried out for this paper all Hare samples tested failed to go resident and infect the MBR or any files.

One thing to bear in mind, just because an MBR infector can’t spread does not mean it is not a threat. Take Kampana as an example, even though it failed to replicate in testing, confirmed by at least one third party^[Emm] , it’s payload will almost certainly still trigger (after 400 reboots, it overwrites the hard disk with garbage, then displays its message). Others that refused to spread include: AntiCMOS.A, Jumper.A, Stoned.Standard.A and V-Sign.A.

Some of the test group offered ‘General Failure Reading Drive A:’ messages, these were: Michelangelo, ExeBug.C and Stoned.16.

Quox refused to allow Windows 95 to boot, and would only infect floppy disks entered during the ‘Diskette Read Failure’ message, which could not be bypassed.

Those that performed best, infecting on both 3 & 4, were: AntiEXE.A, Leandro, ParityBoot.B, Ripper, Sampo, Stoned.Azuza, Stoned.Angelina, W-Boot.A and Welcomb.

There were a number of MBR infectors that would only infect under condition 4, these include: Monkey.B, NYB, and Stealth_Boot.C.

All of those that successfully infected the MBR and went resident, apart from Jumper.A caused Windows 95 to report that the MBR had been changed (Fig 1), which dropped Windows 95 file and memory system mode from 32-bit (Fig 3) into MS-DOS Compatibility mode (Fig 2). Interestingly, even though the hard drive is in MS-DOS mode, the floppy driver is still running in 32 Bit mode^[CN] (that is why the floppy disks are not infected within the GUI by the viruses tested even though they infected the hard drives MBR and are resident).

Why did all of the viruses that infected the MBR and went resident except Jumper.A have Windows 95 detect the change? The answer isn’t all that mystical, simply all other tested MBR infectors hook Int 13h and Windows 95 actually monitors the Int 13h vector code for modifications (not the actual MBR or DBR) as this will affect its ability to drive the hardware directly. Not surprisingly most MBR infectors will do just that. Jumper.A on the other hand hooks not Int 13h but Int 21h instead, this means that Windows 95 can’t see the change and therefore the warning messages are not shown.

Filler.A ,Chinese-Fish and both Hare samples refused to even go resident, let alone infect the test systems MBR.

On a clean boot all was fine except as expected for Monkey.B (as it encrypts the MBR), and ExeBug.C (Invalid drive specification when accessing drive C:). Even given these errors, the viruses were still correctly and easily removed, even with non-FAT32 specific scanners.

A number of the test set hung after infecting the hard drive, instead of giving the more usual ‘Invalid system disk Replace the disk, and press any key’ or ‘Non-system disk or disk error Replace and strike any key when ready’messages. This simply needed the system to be rebooted for Windows 95 to load as normal, except for the warning messages (Fig1 and Fig3). The viruse exhibiting this phenomenen were: AntiCMOS.A, Leandro, Parity_Boot.B and Stoned.16.

The really interesting results are when these test results are compared to tests conducted by Ian Whalley^[Whalley]. All the MBR and DBR viruses he tested replicated under FAT16 [4.00.950]. The viruses he tested were: AntiCMOS, AntiEXE, Monkey.B, Form, Jumper.B, NYB, ParityBoot.B, Quandry, Sampo, Stoned.Angelina and V-Sign.

Yet in another test conducted ^[VB2], Jumper failed to infect other floppies as found in the tests carried out for this paper. On the other hand Kampana and V-Sign apparently did replicate in the same test conducted by Virus Bulletin, but failed to when tested for this paper!

But if we look closer these tests^[VB2] were done on a pre-release version of Windows 95 [4.00.347] and this may go some way to explain the anomolies found in this and other tests by Ian Whalley [4.00.950]^[Whalley] and David Emm [4.00.950]^[Emm] when compared with later versions of Windows 95 tested for this paper [4.00.1111].

As you can see the results are somewhat different. Are the different results due to FAT32 and or other changes in OSR 2.x, or something else? I feel that more testing is required to get the diffinitive answer, and unfortunately this is beyond the scope of this paper.

1 = From Explorer (My Computer A:)
2 = DOS BOX Within 95
3 = Restart in MS-DOS Compatibility Mode
4 = Restart, F8 and Command Prompt Only

Effects of File Infecting viruses?

Myth #4

You can’t boot clean from an OSR2 boot disk, the virus is still found in memory.

This rumour has been impossible to verify first hand. I contacted Virus Bulletin and spoke to Nick Fitzgerald (the editor) and he confirmed that this rumour was passed to him via trusted third parties.

The situation, in which this problem appears to occur, is where small drives or small partitions are used. It is possible that after booting from the Windows 95 rescue disk and running your anti-virus software that it may report that the virus is still in memory (even though it really isn’t (this is known as a false positive or ghost positive)). To resolve this issue simply add a CONFIG.SYS file with the following entry: BUFFERS=5, or 8.

It is further suggested to address this problem that you use a DOS 6.x boot disk to clean boot from before trying to remove an MBR infector.

STOP PRESS: After further research I managed to confirm this myth when either McAfee or Norton Anti-Virus was used after a clean boot. The tips suggested were tried and appeared not to alleviate the false alarm problem with these products. All the other scanners tested did not suffer from this false alarm problem.

Test Results

This set of viruses gave the widest range of results, not surprising really when you consider the number of different types of file infecting viruses there are.

A number of viruses that went resident completely refused to infect any files whatsoever. These include old and new viruses, such as: Tequila, Cawber, Die_Hard, both Hare samples and Ginger.

Others just produced the ‘illegal operation’ dialogue box (Fig 4), and refused to do anything more. These included: Goldbug, DarkAvenger.1800 and 2100, Neuroquilla and MacGyver.

Fig 4

A further subset produced the more drastic ‘Fatal Exception xx’ message that invariably ended up with the system either becoming extremely unstable or having to be restarted. These included: ByWay, Green Caterpillar, Tremor and Frodo.

There were a reasonable number of viruses that could survive and replicate successfully within a single DOS box. These included: Anticad.4096.Mozart, Avispa and even old favourites such as Cascade and all of the tested Jerusalem variants.

A few viruses could survive and replicate in all DOS boxes, these were: Barrotes.1303 and Three_Tunes.1784. Both these viruses infected COMMAND.COM, so this may explain why this was possible, although other viruses infected COMMAND.COM but were not viable outside the single DOS box they went resident in, these were: Barrotes.1310.A, CPW.1527, Fairz, Kaos4 and Npox.963.A.

Only one that could infect not only all target files, in all DOS boxes but also could infect DOS files executed from Explorer! This was: No_Frills.Dudley.

Comparing these results with other papers that have tested earlier versions of Windows 95 shows similar results. David Emm’s paper ^[Emm] confirms the findings here with regard to Cascade and Yankee.Doodle and Frodo, but not Tequila. The difference with Tequila may be explained by the use of FAT32 partitions in this paper compared to FAT16 in his tests. The test carried out by Ian Whalley ^[Whalley], confirms the behaviour observed with ByWay, Jerusalem, Kaos4 and Taipan.438.

It appears that the tests carried out for this paper use the largest set of viruses of the known papers written to date. In many ways I can understand why as this level of testing is rather time consuming.