How to Deal With Boot Sector Viruses

All disks and hard drives are divided into small sectors. The first sector is called the boot sector and contains the Master Boot Record (MBR). The MBR contains the information concerning the location of partitions on the drive and reading of the bootable operating system partition. During the bootup sequence on a DOS-based PC, the BIOS searches for certain system files, IO.SYS and MS-DOS.SYS. When those files have been located, the BIOS then searches for the first sector on that disk or drive and loads the needed Master Boot Record information into memory. The BIOS passes control to a program in the MBR which in turn loads IO.SYS. This latter file is responsible for loading the remainder of the operating system.

What Is a Boot Sector Virus? 

A boot sector virus is one that infects the first sector, i.e. the boot sector, of a floppy disk or hard drive. Boot sector viruses can also infect the MBR. The first PC virus in the wild was Brain, a boot sector virus that exhibited stealth techniques to avoid detection. Brain also changed the volume label of the disk drive.

How to Avoid Boot Sector Viruses

Commonly, infected floppies and subsequent boot sector infections result from "shared" diskettes and pirated software applications. It is relatively easy to avoid boot sector viruses. Most are spread when users inadvertently leave floppy disks in the drive - which happen to be infected with a boot sector virus. The next time they boot up their PC, the virus infects the local drive. Most systems allow users to change the boot sequence so that the system always attempts to boot first from the local hard drive (C:\) or CD-ROM drive.

Disinfecting Boot Sector Viruses

Boot sector repair is best accomplished by the use of antivirus software. Because some boot sector viruses encrypt the MBR, improper removal can result in a drive that is inaccessible. However, if you are certain the virus has only affected the boot sector and is not an encrypting virus, the DOS SYS command can be used to restore the first sector. Additionally, the DOS LABEL command can be used to restore a damaged volume label and FDISK /MBR will replace the MBR. None of these methods is recommended, however. Antivirus software remains the best tool for cleanly and accurately removing boot sector viruses with minimal threat to data and files.

Creating a System Disk

When disinfecting a boot sector virus, the system should always be booted from a known clean system disk. On a DOS-based PC, a bootable system disk can be created on a clean system running the exact same version of DOS as the infected PC. From a DOS prompt, type:

  • SYS C:\ A:\

and press enter. This will copy the system files from the local hard drive (C:\) to the floppy drive (A:\).

If the disk has not been formatted, the use of FORMAT /S will format the disk and transfer the necessary system files. On Windows 3.1x systems, the disk should be created as described above for DOS-based PC's. On Windows 95/98/NT systems, click Start | Settings | Control Panel | Add/Remove Programs and choose the Startup Disk tab. Then click on "Create Disk". Windows 2000 users should insert the Windows 2000 CD-ROM into the CD-ROM drive, click Start | Run and type the name of the drive followed by bootdisk\makeboot a: and then click OK. For example:

  • d:\bootdisk\makeboot a:

Follow the screen prompts to finish creating the bootable system disk. In all cases, after the creation of the bootable system disk, the disk should be write-protected to avoid infection.