Does Win9x need Antivirus anymore?

[Hoko]

That's music to my ears

[AnX]

I'd still use an AV, since I have the habit of it, and updating backups is too much work for a secondary PC.

I use Spybot Search& Destroy as an AntiSpyware for Windows 98, and with Firefox 10, I can have AdBlock Plus.

I'm thinking an on-demand scanner is good, so I'll just get one of those.

Edited April 18, 2013 by AnX

[Tommy]

and with Firefox 10, I can have AdBlock Plus.

Adblock Plus for Firefox works as far back as the late 3.6 versions which I still use myself as I don't like the newer versions so much. It seems to be trying to imitate Chrome a little bit too much for my liking that it just isn't as good to me and the fact that it seems anything too new doesn't work 100% on 98.

Edited April 21, 2013 by Tommy

[Giant2011]

I still use Avast and it still updates and I use Jetico Personal Firewall 1.0.1.61 with windows 98 SE

[Cyberguy]

Would the KernelEx patch that allows running more modern software on Win98 also allow more viruses, worms, malware etc to run under Win98 ?

[dencorso]

Probably.

[loblo]

Would the KernelEx patch that allows running more modern software on Win98 also allow more viruses, worms, malware etc to run under Win98 ?

Most unlikely as KernelEx offers no low level compatibility with NT systems.

[dencorso]

Truth is, whatever we may say, the thread's title question is intrinsecally unanswerable. And Cyberguy's question about KernelEx is intrinsecally unanswerable, too.

It would be necessary to set up two identical machines, one with state-of-art 98SE or ME and the other with, say, Windows 7 updated as per MS's recommendations and put them under attack by a *representative* sample of current malware, for a given time interval, and then count the infections... But: what is a *representative* sample of current malware, and for how long? As I understand such an experiment to be unfeasible, to me, those questions are unanswerable.

[Fredledingue]

As Dencorso said, we need a more scientific aproach to answer this question. yet it's safe to say that by our common experience, W98 has a very low risk of infection.

We have never seen anyone in the last 5 years, posting here to ask how to get rid of a virus.

IMO antivirus and firewalls are totaly useless on w98.

Now saying that we will never be infected should we open obviousely dangerous websites with IE6 and leave the machine 24/7 on line for weeks... is a little bit presumtuous.

I neve had an antivirus installed in the last 5 years at least, and before that, never had a virus since 1999.

(and that virus came from a floppy!)

yet I'm positive that I would not catch viruses easily with W7 the way I use my computer.

As the saying goes, infection risk depends more on your behavior than on your OS. Poeple who are careful and know how to avoid viruses will almost never catch one and can safely go naked everywhere and do everything without any protection.

The problem with new OSes thought, is not so much viruses, it's bloatwares/garbagewares/uselsesswares. It seems that all Vista/7 machine get a new bloatware installed, God-knows-how once every 6 months on average and you have no idea what this software is doing and wether or not you can remove it.

On a w98 that sort of joke would be cut short very swiftly.

[ZortMcGort11]

I think it wouldn't hurt to have a couple on-demand scanners for Win9x. But anything that scans real-time would probably be completely pointless.

Clamwin, F-Prot for DOS, older version of AVG and Antivir. You can find them on Oldapps or Filehippo.com

I won't be downloading any versions of Clamwin byeond 0.97.6.

The brand new ClamWin is like 20 Mb bigger than the last. Huge jump in file size, and probably the memory footprint and the time it takes to scan as well.

so, my computer has virus protection from the ancient DOS viruses (using F-prot) all they way up to newer viruses thanks to ClamWin. But I won't be upgrading them anymore because they never find anything anyway.

[CharlotteTheHarlot]

I think it wouldn't hurt to have a couple on-demand scanners for Win9x. But anything that scans real-time would probably be completely pointless.

Agreed.

McAfee v6 still working on Win9x using current DAT files.

See here.

[Nomen]

I was testing a malware link recently on my win-98 system (with Kex) with Firefox 2.0.0.20, Adobe reader 6.0.2, and Java 1.6.0_43. This is what happened:

The link ends up causing my system to load the Java engine and process some java code, which in turn tries to invoke acrord32.exe and render some sort of pdf file. Java and Acrord32 displayed these error messages:

------

Application Error

General Exception (!)

java.lang.NullPointerException

(ok) (Details)

-------

And this:

-------

Acrobat plug-in

! This operation is not allowed

(ok)

-------

Looking at the Details for the Java error:

-------

java.lang.NullPointerException

at sun.net.www.ParseUtil.encodePath(Unknown Source)

at sun.misc.URLClassPath$Loader.getResource(Unknown Source)

at sun.misc.URLClassPath.getResource(Unknown Source)

at sun.applet.AppletClassLoader.getResourceAsResource(Unknown Source)

at sun.applet.AppletPanel$7.run(Unknown Source)

at sun.applet.AppletPanel$7.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.applet.AppletPanel.createSerialApplet(Unknown Source)

at sun.applet.AppletPanel.createApplet(Unknown Source)

at sun.plugin.AppletViewer.createApplet(Unknown Source)

at sun.applet.AppletPanel.runLoader(Unknown Source)

at sun.applet.AppletPanel.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

-------

Before I dismiss these error messages, I do a search for all recently-created files. I find these in windows/temp:

Acr6392.TMP

Acr6390.TMP

Acr639C.TMP

Small, useless PDF files. I can't find anywhere on the web to verify this, but I believe that Adobe reader must create these temp files during it's normal operation, so these are harmless. AV scan on them turns up nothing.

I find this file in windows/application data/sun/java/deployment/cache/6.0/host: 31ba0019-40d9db35.hst It's a text file that contains this: 184.82.108.82

I have this file in my firefox cache directory: 10D13CC8d01. It contained comma separated decimal representations of ASCII characters for the <applet>some stuff</applet> container. Also contained period separated values represent the ASCII characters for JavaScript for downloading of the malicious PDF, Java jar, and Shockwave flash object. The malicious PDF contained stream object (111) which is a compressed obfuscated JavaScript which works on yet another blob which is the PDF heapspray/exploit code which also has two shellcode variables. The shellcodes had URLs that were not encrypted.

VirusTotal identified that file as containing: JS/Exploit-Blacole.ld - but only 2 out of 46 AV programs flagged the file as malicious.

I dismiss the java error, and then the adobe error. Immediately another Acrord error pops up (same as the first). I dismiss it. Firefox then comes back to life and displays this page:

www.google.com/search?q=404%20error

And at this point we seem to be done, with no lasting effects. This lame attempt at a browser/java/pdf exploit just bounced off my win-98 system.

I have yet to find a pdf exploit that can work correctly on the combination of win-98/Acrobat Reader 6. And the heap/spray exploits seem not to work correctly on win-98 systems as well. And many of the malware files that I seek out (as a result of following recent spam links) turn out to have a very low rate of being identified by antivirus programs - at least during their first day of circulation.

[CyberyogiCoWindler]

On my Win98SE PC (AMD K6-3+@550MHz,768MB RAM) I run the firewall ZoneAlarm AntiVirus 6.1 (outdated antivirus part disabled) combined with Avast4.8 AntiVirus (start delayed through StartRight to prevent race condition lockups). However nowadays a complete boot takes about 20 minutes and Avast update even >30 minutes. Also random bowser lockups likely come from Avast, which seems to slow down the machine by 90% in some situations. I guess this bloatware monster does linear search through an infinitely growing virus database and since long time has lost its point of usefulness. (The only malwares I ever found with it were adware scripts in old downloaded HTML pages, and obviously fake e-mail attachments I wouldn't open with Acrobat Reader or MS Word anyway since I do not use them.)

Thus I will replaces this bugger with ClamWin+Sentinel soon. I hope I manage to make it coexist with ZoneAlarm.

Edited May 8, 2015 by CyberyogiCoWindler

[CharlesF]

No antivirus at all here for years and years, and never had any problem surfing. They are slowing too much on old PC.

(Only using ZA 5.5, proper configuration and passive protections like Hosts file, ActiveX killbits, ...)

 

I really wonder if it is possible to any current malware to recognize such legacy OS as Win9x and infect it.

[Nomen]

I was going to create a new thread, but I see that this thread has been resurrected so I'll add this.

I got a spam on Friday with a nonsense subject (#jNSuR) and an attachment (hqPP03Lb.doc - 83 kb). The only text in the spam was "Sent from my ipad". I saved the attachment and tried to open it with notepad. Notepad threw up the usual "this file is too large- how about I open it with wordpad?". My fingers were faster than my brain and I clicked OK.

Now I've seen a bunch of viral .doc files recently where they try to invoke some sort of macro, and if you have macro's disabled then they throw up a lame message asking you to enable macros. So I guess I expected this to do the same. But instead I got this:

===============

Wordpad caused an invalid page fault in module mswrd832.cnv

(a bunch of details)

===============

And that's all. No dropped files, no new processes, no new entries in my registry. Yet another example of a cutting-edge exploit that falls flat on it's face when it encounters a win-98 system (and I have Office 2K Premium installed - and still it could not exploit it).

I have 2 copies of mswrd832.cnv on this system - one in a directory containing all files unpacked from a win-98 CD, and the other in program files / common files / microsoft shared / textconv. Presumably the one being used is the one in textconv, and funny thing - it's dated 12/08/1998 (but has version 98120800) while the other is 4/23/1999 (and has version 97081200).

A scan of the .doc file at virustotal (and this is some 24 hours after I got it) got flagged by 29 out of 56 AV programs. A few of the notable programs that DID NOT detect this threat were:

ClamAV

Malwarebytes

Norman

Panda

The file acts as a downloader (or dropper) and is variously ID'd as W97M / Adnel. Trend calls it "W2KM_BARTALEX.VVRA". I really would like to know the exploit mechanism being attempted here, and why the mechanism failed under win-98 (and hence why does it work under NT). I can make the file available to anyone that want's to analyze it in more detail.