Booting the unbootable presented at Virus Bulletin 2002

by Tomo Sombolac (Qubis d.o.o.),


Summary : Today, among the most prevalent viruses are those written to attack
Windows 32-bit executables. Beside usual mass mailing of the infected
code, these viruses may employ various techniques for mass infection
of executables present on local and network drives, memory residence
(via service or process) or stealth. Also, they are very difficult to
be removed or disinfected. At the same time it is perceived that a
number of present Windows operating systems are very hard to boot in
such a way that a clean environment is established (clean boot). This
is usually stated for Windows NT operating system, but Windows 2000
and new Windows XP are not excluded. All this is not making handling
infections of the Windows 32 bit viruses easier.

Actually, the truth is that it is possible to clean boot all Windows
operating systems, since relevant articles are present in Microsoft
Knowledge Base. On the other hand many Web sites of the largest
anti-virus companies do not show these facts, usually offering some
workarounds instead. Now, it is possible to confirm this by searching
sites of the top antivirus vendors for information about clean booting
Windows operating systems and for information related to cleaning of
the infections caused by some viruses in question like Flcss, Magistr
or Nimda.

It is a bit worrying that the largest anti-virus companies do not
present procedures shown in relevant Microsoft Knowledge Base articles
on their Web sites. Also, it is obvious that presently recommended
techniques relay more on tricks and workarounds than on lege artis
procedures, and that they also induce a number of other problems such
as risks of re-infection, possibility of viruses remaining active in
memory or being virus specific i.e. limited to specific cases.

We have explored the recommended Microsoft Knowledge Base procedures,
we use it in our everyday work and recommend them to our customers. At
the Virus Bulletin Conference we would like to present some facts
about these obviously known and very important procedures, which
however seem to be widely overseen.