How to Deal With Boot Sector Viruses

What to do when you get a boot sector virus

All disks and hard drives are divided into small sectors. The first sector is called the boot sector and contains the Master Boot Record (MBR). The MBR contains the information concerning the location of partitions on the drive and reading of the bootable operating system partition. During the bootup sequence on a DOS-based PC (Windows), the BIOS searches for specific system files, IO.SYS and MS-DOS.SYS. When those files have been located, the BIOS then searches for the first sector on that disk or drive and loads the needed Master Boot Record information into memory. The BIOS passes control to a program in the MBR which in turn loads IO.SYS. This latter file is responsible for loading the remainder of the operating system.

Nearly all Windows 10 PCs use the new EFI GPT boot system, as opposed to the much older BIOS MBR. This guide is mostly historical in nature.

What Is a Boot Sector Virus? 

A boot sector virus is one that infects the first sector, i.e., the boot sector, of removable or hard drive. Boot sector viruses can also infect the MBR. The first PC virus in the wild was Brain, a boot sector virus that exhibited stealth techniques to avoid detection. Brain also changed the volume label of the disk drive.

How to Avoid Boot Sector Viruses

Commonly, infected floppies and subsequent boot sector infections result from "shared" diskettes\USB drives and pirated software applications. It is relatively easy to avoid boot sector viruses. Most are spread when users inadvertently leave removable media in the PC- which happen to be infected with a boot sector virus. The next time they boot up their PC, the virus infects the local drive. Most systems allow users to change the boot sequence so that the system always attempts to boot first from the local hard drive (C:\) or CD-ROM drive.

Disinfecting Boot Sector Viruses

Boot sector repair is best accomplished by the use of antivirus software. Because some boot sector viruses encrypt the MBR, improper removal can result in a drive that is inaccessible and a system that won't boot.

However, if you are certain the virus has only affected the boot sector and is not an encrypting virus, the DOS SYS command can be used to restore the first sector. Additionally, the DOS LABEL command can be used to restore a damaged volume label, and FDISK /MBR will replace the MBR. None of these methods is recommended, however. Antivirus software remains the best tool for cleanly and accurately removing boot sector viruses with minimal threat to data and files.

Creating a System Disk

When disinfecting a boot sector virus, the system should always be booted from a known clean system disk. This usually means a bootable Windows install DVD or USB.

Historically, On a DOS-based PC, a bootable system disk could be created on a clean system running the exact same version of DOS\Windows as the infected PC. From a command prompt, you could enter:

SYS C:\ A:\

This will copy the system files from the local hard drive (C:\) to the floppy drive (A:\). For USB drives, your drive letter may be D:, E:, or some other letter. Make sure to change the drive letter to the removable media you are using.

If the disk\drive has not been formatted, the use of FORMAT /S will format the disk and transfer the necessary system files.

On Windows 10, 8.1, 8, and 7, you can easily use a 3rd party tool like Rufus to create a bootable USB. Once you have a bootable USB drive, booting off of itand cleaning your drive with antivirus or following the above commands will be your final step.

Was this page helpful?