The effect of computer viruses on OS/2 and Warp

John F. Morar 
David M. Chess 
High Integrity Computing Laboratory 
IBM Thomas J. Watson Research Center 
Hawthorne, NY 

To be published in the preceedings of the 
Virus Bulletin International Conference 
Boston Park Plaza Hotel and Towers, 
Boston, Mass, USA 
20-22 September 1995 

IBM, OS/2 and OS/2 Warp are registered trademarks of International Business Machines Corporation. 
Any trademarks not associated with IBM are the property of their respective owner. 

The original PostScript version of this paper is also available. 


Overview

Although the number of viruses for OS/2 can be counted on the fingers of one hand, systems running OS/2 still require protection against thousands of DOS based
viruses which can infect boot records and DOS programs on OS/2 systems. 

OS/2 is a 32 bit multitasking operating system which can simultaneously run programs written for OS/2, DOS and Microsoft Windows(tm). DOS programs running
under OS/2 execute in a Virtual DOS Machine (VDM) which is designed to provide an environment which appears the same as real DOS. Ironically, moving toward
the goal of a perfect virtual DOS machine increases the probability that an infected DOS program will execute properly and effectively propagate its virus to other DOS
programs stored on the system. Indeed, DOS programs executing under OS/2 can frequently spread file infecting viruses to other DOS programs. 

Boot sector viruses interact primarily with the Basic Input and Output System (BIOS) which is common to all IBM PC and compatible personal computers. Boot
sector viruses typically receive control during the boot process, before the operating system is loaded; this allows them to infect boot sectors independent of the
operating system in use. Boot sector viruses under OS/2 don't usually spread to diskettes because of the details of how OS/2 uses diskettes. However, they can have
other detrimental effects on the system and therefore need to be removed. 

Viruses designed to infect native OS/2 executables are more complicated to write than their DOS counterparts, but they will likely be a problem at some point in the
future. We are currently aware of only two OS/2 viruses. Both of these viruses are very simple and neither of them has been detected in the wild ("in the wild" viruses
are those which have been detected spreading in real life situations.) 

OS/2 is far more versatile than DOS/Windows. It has the ability to run multiple DOS and Windows sessions, provides facilities for booting multiple operating systems,
and allows file names up to 255 bytes long. These additional capabilities offer new places for viruses to hide and mandate additional anti-virus capabilities not available
in native DOS/Windows anti-virus software. Although native DOS/Windows anti-virus programs can often execute under OS/2, they do not provide an adequate level
of protection. They will not have access to files with long names nor will they find all the boot records which may be located on the machine. Under some versions of
OS/2, the boot sectors are not writable by DOS/Windows programs and can therefore not be disinfected by DOS/Windows anti-virus products. 

This susceptibility to DOS viruses is not unique to OS/2. Indeed, Windows NT and Windows 95 are also fertile ground for the spread of DOS viruses. Each of these
operating systems requires individually tailored anti-virus protection software. 


Boot sector viruses under OS/2

Boot sector viruses are responsible for the overwhelming majority of in-the-wild virus infections. They reside in the boot records found on each disk and diskette. The
primary method for checking a particular machine for boot sector viruses is to scan all the boot records located on the personal computer. One consequence of OS/2's
versatility is the possibility of additional boot records not found in DOS systems. 

OS/2 provides optional facilities for installing more than one operating system on a single personal computer. Two methods are provided for choosing which operating
system is to be booted: Dual Boot and Boot Manager. Each of these methods involves manipulating which boot sectors become active. Using either of these techniques
results in additional boot sectors not found on DOS and Windows based systems. Effective OS/2 anti-virus programs will scan all the boot records located on the
personal computer, even those which are not active at the time the scan is being performed. 

In particular, on a Dual Boot system the system boot record of the operating system that is not currently active is stored on the hard disk, under a special name. OS/2
anti-virus software should know to scan for boot sector viruses in files with these names. In a Boot Manager system, a special Boot Manager boot record exists that is
neither a master boot record nor an operating system boot record; OS/2 anti-virus software must know how to scan and repair this special kind of boot record. 

OS/2 offers a choice of two file systems; the File Allocation Table (FAT) file system and the High Performance File System (HPFS). Some boot sector viruses assume
that all file systems are FAT, and write to specific disk locations in ways that can damage HPFS boot partitions. The risk of such complications for OS/2 systems in
high virus risk environments can be minimized by using the FAT file system for all boot partitions. 


DOS file infecting viruses under OS/2

DOS programs running on an OS/2 system execute inside a Virtual DOS Machine (VDM), a controlled environment in which OS/2 provides DOS programs with all
the usual DOS services, and in general simulates a DOS environment. Multiple VDMs can be used to simultaneously execute multiple DOS programs. Many infected
DOS programs execute properly in OS/2 VDMs and can effectively propagate a virus to other DOS programs stored on the system. 

File infecting viruses frequently install a memory resident component in the DOS operating system (or in the VDM in the OS/2 case); this component infects new
programs as they are executed, or executable files as they are opened, or it may follow any of a variety of other strategies. Because the DOS simulation provided by the
VDM supports this kind of memory resident component, viruses of this kind often continue to operate in a VDM. (Some file infecting viruses use undocumented and
unsupported features of DOS to function; these will often fail in OS/2 VDMs.) 

Memory resident viruses cannot spread directly between separate VDMs; however, any program executed from within an infected VDM will likely become infected. If
that program (once infected) is later executed in another VDM, that VDM can also become infected, in the sense that the virus will have installed its resident portion in
that VDM as well. 

The best protection for VDMs under OS/2 is to install memory resident virus protection in each VDM as it is opened. This function can be performed automatically by
anti-virus software tailored to the OS/2 environment. 

Occasionally a file-infecting virus designed for DOS will also attempt to infect OS/2 executable files. Although the structure of an OS/2 executable file is superficially
similar to a DOS EXE file, it is in fact far more complex. If a DOS program attempts to infect an OS/2 executable, it will almost always fail, rendering the OS/2
executable unable to execute under OS/2, and making it impossible to fully repair the file. In some cases trying to start an OS/2 program in an infected VDM can cause
the OS/2 program's "DOS stub", (the part of an OS/2 program that prints "This program cannot be run in DOS mode".) to become infected. An OS/2 program infected
in this way can sometimes even spread the virus when started under DOS, or in an OS/2 VDM. It is therefore important to check both DOS and OS/2 executables for
file-infecting viruses on OS/2 systems. 


Native OS/2 viruses

There are currently only two OS/2 viruses known to us. 

     OS2vir1: This virus functions by (roughly) replacing all EXE files in the current directory with a copy of itself. Since infected files no longer perform their
     normal functions, this is a very noticeable virus and therefore unlikely to spread. It is distributed as source code, and as distributed, prints out messages as it runs
     saying which files it's "infecting". 
     Jiskefet: Replaces EXE files with a new file which contains within itself the original EXE file. When the infected file is executed it recreates the original EXE
     file under another name and then executes the original file. This is a technological advance over OS2vir1 since the function of the original program is preserved;
     however, Jiskefet is not very effective at finding new files to infect. Similar viruses in the DOS world have never spread well, suggesting that Jiskefet will also not
     pose any significant threat to OS/2 systems. 

In spite of the current unsophisticated attempts at OS/2 viruses, there is no insurmountable technological barrier to generating effective viruses for any of the currently
shipping 32 bit operating systems; it makes sense to prepare now, by installing the best available anti-virus software designed specifically for the operating systems that
you are actually using. 


Taking Advantage of OS/2 Facilities

Like any other modern product, anti-virus products should take advantage of the power and flexibility that OS/2 brings to the user. An anti-virus product should, for
instance, be able to run in the background at pre-selected times, to avoid interfering with the user's daily work. An anti-virus product should have a full graphical user
interface, allowing any necessary user interactions to take place on the desktop, rather than through older command-line interfaces. Advanced file systems, like the one
provided with OS/2, require the system to be shutdown so the file system can close all files and store all data. The next action after a shutdown is to restart the system,
either immediately or at some later time. The shutdown process is an excellent time to scan any diskette left in the A: drive for boot sector viruses. Diskette scanning
during shutdown avoids possible infection when the system is again restarted. Even a non-bootable diskette can be infected with a boot sector virus, and can spread the
virus if an attempt is made to boot from the infected diskette. 


Summary: Requirements for protecting OS/2 systems

To be effective in protecting an OS/2 system from viruses, an anti-virus product must: 

     Run as a native OS/2 application, in order to check files and directories that DOS applications cannot see, 
     Check all boot records on the system, including Boot Manager boot records and the files used by Dual Boot to store boot records, 
     Provide protection for all DOS VDMs and Windows sessions running under OS/2, 
     Check to see if there is an infected diskette in the diskette drive immediately before shutting down, 
     Perform scheduled scans of the system, in the background, exploiting OS/2 multitasking abilities. 
     Take advantage of the sophisticated user interface facilities in OS/2 to run cleanly on the desktop, rather than requiring command-line interaction. 


Our development of IBM AntiVirus for OS/2 has been motivated by the need to satisfy all the requirements described in this article.