All disks and hard drives are divided into small sectors. The first sector is called the boot sector and contains the Master Boot Record (MBR). The MBR contains the information concerning the location of partitions on the drive and reading of the bootable operating system partition. During the bootup sequence on a DOS-based PC (Windows), the BIOS searches for specific system files, IO.SYS and MS-DOS.SYS. When those files have been located, the BIOS then searches for the first sector on that disk or drive and loads the needed Master Boot Record information into memory. The BIOS passes control to a program in the MBR which in turn loads IO.SYS. This latter file is responsible for loading the remainder of the operating system.
What Is a Boot Sector Virus?
A boot sector virus is one that infects the first sector, i.e., the boot sector, of removable or hard drive. Boot sector viruses can also infect the MBR. The first PC virus in the wild was Brain, a boot sector virus that exhibited stealth techniques to avoid detection. Brain also changed the volume label of the disk drive.
How to Avoid Boot Sector Viruses
Commonly, infected floppies and subsequent boot sector infections result from "shared" diskettes\USB drives and pirated software applications. It is relatively easy to avoid boot sector viruses. Most are spread when users inadvertently leave removable media in the PC- which happen to be infected with a boot sector virus. The next time they boot up their PC, the virus infects the local drive. Most systems allow users to change the boot sequence so that the system always attempts to boot first from the local hard drive (C:\) or CD-ROM drive.
Holiday Tech Gift Guide
Here are some ideal gifts for you and all your loved ones on the go. These are the choices that will move you to the top of list for this season’s best giver!
Disinfecting Boot Sector Viruses
Boot sector repair is best accomplished by the use of antivirus software. Because some boot sector viruses encrypt the MBR, improper removal can result in a drive that is inaccessible. However, if you are certain the virus has only affected the boot sector and is not an encrypting virus, the DOS SYS command can be used to restore the first sector. Additionally, the DOS LABEL command can be used to restore a damaged volume label and FDISK /MBR will replace the MBR. None of these methods is recommended, however. Antivirus software remains the best tool for cleanly and accurately removing boot sector viruses with minimal threat to data and files.
Creating a System Disk
When disinfecting a boot sector virus, the system should always be booted from a known clean system disk. On a DOS-based PC, a bootable system disk can be created on a clean system running the exact same version of DOS\Windows as the infected PC. From a Command prompt, enter:
SYS C:\ A:\
and press Enter. This will copy the system files from the local hard drive (C:\) to the floppy drive (A:\). For USB drives, your drive letter may be D:, E:, or some other letter. Make sure to change the drive letter to the removable media you are using.
If the disk\drive has not been formatted, the use of FORMAT /S will format the disk and transfer the necessary system files. On Windows 10, 8.1, 8, and 7, you can easily use a 3rd party tool like Rufus to create a bootable USB. Once you have a bootable USB drive, booting off of itand cleaning your drive with antivirus or following the above commands will be your final step.
Removing Viruses
The first step is the same for any computer virus, no matter what the type. After the first step, the type of virus determines subsequent steps.
Always try using
a commercial antivirus
scanner to
remove any
virus. In some
cases, like NTFS
volumes, you may
need to boot to
the volume
first, and then
run the
antivirus
scanner. In
Windows 2000, AVBOOT,
is a good, no
frills boot
virus remover if
kept up to date.
Steps after this
point assume you
don’t have an
antivirus
scanner or it
did not
recognize and
remove the
virus.
Removing most boot and MBR viruses involves many of the same steps as presented in Chapter 2. The hardest part in a Windows world is to determine what type of boot floppy you have to use to clean the virus and to restore the boot areas to their clean state. Each of the different Windows file systems, FAT, VFAT, FAT32, and NTFS, have their own boot files.
First, you need to boot with a known, clean, write-protected diskette that will recognize the disk partition. This means you can’t use a FAT32 boot disk on a FAT volume, or a FAT disk on a NTFS partition, and vice versa.
Tip
If the boot virus or the damage it can cause is unknown and your boot floppy gets you access to the disk partition, copy unbacked-up, crucial files to diskette. There is always a small chance that in the cleaning process, you could worsen the process further and make the partition inaccessible. If you cannot access the disk partition through a boot disk, you might have to reinstall the operating system and restore data from tape.
- Making a 3.x or 9x boot floppy
-
For Windows 3.x and Windows 9x systems with FAT and VFAT, you can create a boot disk by using the
SYS A:orFORMAT A: /Sat the command-line prompt. You can also useMy Computer→right-click Floppy A:→Formatand chooseCopy System files, in Windows 9x to accomplish the same thing. I then copySYS.COM, FORMAT.EXE,andFDISK.EXEto the disk to use in troubleshooting. - Making a Windows 98 Fat32 emergency boot floppy
-
The Windows 98 install CD-ROM contains a folder called
\TOOLS\MTSUTIL\FAT32EBD. It contains a file,FAT32EBD.EXE, that will create a FAT32 Emergency Boot Floppy diskette. You can also make a more comprehensive boot floppy in Windows 9x by making aStartup Disketteduring the install process. You can make one at anytime by choosingStart→Settings→ControlPanel→Add/RemovePrograms→Startup. Like the other boot disk options talked about in this section, make sure to write-protect the diskette to prevent computer virus infection. - Making a Windows NT boot floppy
-
Format a floppy disk on a Windows NT computer. Copy
NTLDR,BOOT.INI,NTDETECT.COM, andNTBOOTDD.SYS(for BIOS-disabled SCSI adapter) to floppy. If needed, modifyBOOT.INIso thatARC path(disk controller, disk drive, partition) points to system partition on NT computer. After it is created, you can use the floppy to start Windows NT or 2000, and bypass the initially corrupted boot files. Only the boot files necessary to reach the NT partition are loaded off the boot floppy. The emergency boot process loads other files directly off the hard drive. IfNTOSKRNL.EXEor other boot files on the hard drive are corrupt, you will need to run NT’s repair option to fix.
- Using SYS and FDISK
-
With Windows 3.x and 9x you can use
SYS C:off a clean boot floppy to restore the boot sector, orFDISK /MBRto restore the master boot record. The same rules of when and when not to run this command that were presented in Chapter 2 apply. Don’t runFDISK /MBRunless you know doing so will not harm the disk.
Warning
Don’t use FDISK /MBR with Windows NT! Using FDISK to restore the Master Boot Record can have disastrous consequences in NT and 2000. FDISK /MBR only rewrites the MBR and not the entire boot record, and will often overwrite NT disk signatures. If your computer has NT fault-tolerant disks, running FDISK /MBR can remove the redundancy. It’s better to be safe than sorry, so don’t run FDISK /MBR in an NT or 2000 environment.
- Using ERD in Windows NT
-
Oftentimes using an
Emergency Repair Disk(ERD) is the only way to recover a corrupted NT boot or system files. An ERD must have been created before the infection occurred (using RDISK.EXE /S in NT 4.0). Put your NT installation CD-ROM in the drive and boot up using the installation setup diskettes. SelectRto repair the NT installation. ChooseInspect boot sector and Restore Startup Environment. NT’s repair option will prompt you for your ERD disk when appropriate. If you have a boot or MBR virus, one of these cleaning techniques should remove the malicious code.
Tip
Windows 2000 has a Manual Repair and Fast Repair in the Emergency Repair process. Either process does the same thing, but the Fast Repair does it without lots of prompting.
- Using Windows 2000 Recovery Console
-
You can replace a corrupted MBR or boot sector using 2000’s new
Recovery Console. Start the computer from the Windows 2000 Setup CD-ROM or floppy diskettes. Press Enter at theSetupNotificationscreen, thenRto repair, thenCto access the Recovery Console. It will ask you to select the current valid 2000 installation, and prompt you for the local administrator’s password. You will then be able to type in commands in the console window. Type FIXMBR to overwrite the master boot code with a new copy or type FIXBOOT to replace the boot sector of the hard drive. - DiskProbe and DiskSave
-
The Windows NT Server Resource Kit CD-ROM contains two vital disk-editing utilities. One,
DISKPROBE.EXE,Unable to Upgrade to Windows 95/98 due to BIOS Boot Sector Virus Protection
Last updated on February 27, 1999
The problem
Some BIOS manufacturers have put Virus Protection in their products.
Anytime software requests (via the BIOS Harddisk interface Int 13h) to write the Master or DOS Boot Record of drive C:, a Warning is issued to prompt the user if it is safe to continue.
There may be a bootsector virus at work!When installing Windows 95, Setup needs to write to the DOS Boot Record. The same is true for Windows 98, except when upgrading from Windows 95.
If the BIOS Virus Warning is still Enabled, Setup will fail just after accepting the License agreement.
In addition, there will be no Virus Warning visible because Win95/98 Setup has put the display in graphics mode. This will leave the user guessing what's wrong!
After reboot you will see a message telling you to disable all Virus Protection on your system.The solution should be simple.
Just Disable the Virus Warning via the CMOS SETUP before installing Windows 95/98.
There are however BIOSs where this is not possible!I have had reports from the AMI 11/11/92 BIOS but most reports come from specific OEM versions of the Award Modular BIOS v4.50, v4.50G, v4.50PG, and v4.51PG.
Solution 1.
For the Award Modular BIOS, I have written a program to restore your control over the BIOS Virus Protection. You can download it here; it is called VIRWARN (5.4 KB ZIPfile).
The program is now at version 1.2 (10/10/97) and comes with a text-file with more information.
VIRWARN is unable to control the Virus Warning feature on non-Award BIOSs, but it will allow you to test for an active Virus Warning on all BIOS brands.
Solution 2.
To install Windows 95/98 in case you do not have an Award BIOS or if my Virwarn program is not able to switch the Virus Warning off, you need this workaround.
- Use the undocumented command Setup /ir to prevent Win95/98 setup from writing to the Boot Areas
- Create an Emergency disk during installation (you will be prompted)
- Boot from this disk when Setup has finished
- From the A:\> prompt give the command SYS C: and type 'Y' to accept the modification of the Boot Sector if the Virus Warning pops-up.
- Remove the Emergency disk. You should now be able to boot and run Windows 95/98 from your harddisk.
Some final remarks
The Boot sector Virus Warning feature of the BIOS will only warn you of write actions to the Master Boot Record or to the DOS Boot Record on your C: drive.
Programs that write to these areas are a/o Boot Sector Viruses, the Setup program of Operating Systems, the Install program of Disk Manager/EZ-Drive, disk repair utilities, boot managers, and the DOS programs Fdisk and Format.The BIOS Virus Warning is only intended to protect these vital disk areas against the mentioned viruses and you should switch it OFF when (re-)installing a new operating system or harddisk.
Also use other anti-virus software/hardware to protect your system against other kinds of viruses!Note that with Windows 95/98 running the BIOS Virus Warning does not work because this OS uses its own protected mode diskdriver and the BIOS harddisk interface is not used anymore (except in safe or compatibility mode).
On the issue of Boot Sector Virus protection in Windows 95 you may like to read the Microsoft Knowledge Base article: Q143281.
and another,
DISKSAVE.EXE. Both are command-line utilities that can be used to back up, fix, and restore boot sectors, MBR, and partition tables. Although both contain copious instructions, they are not for novices to use. WithDiskProbeyou will have to work directly with hexadecimal code on the disk and compare what you find with what you should have, and make modifications.DISKSAVEis the easier of the two utilities. It allows single keystroke saves, and restores the boot sector, MBR, and partition table.DISKSAVEmust be run from a DOS prompt and saved sectors are stored as binary file images. I’ve usedDISKSAVEto send other researchers virus-infected boot sectors through email.
Unable to Upgrade to Windows 95/98 due to BIOS Boot Sector Virus Protection
Last updated on February 27, 1999
The problem
Some BIOS manufacturers have put Virus Protection in their products.Anytime software requests (via the BIOS Harddisk interface Int 13h) to write the Master or DOS Boot Record of drive C:, a Warning is issued to prompt the user if it is safe to continue.
There may be a bootsector virus at work!
When installing Windows 95,
Setup needs to write to the DOS
Boot Record. The same is true
for Windows 98, except when
upgrading from Windows 95.
If the BIOS Virus Warning is
still Enabled, Setup will fail
just after accepting the License
agreement.
In addition, there will be no Virus
Warning visible because Win95/98
Setup has put the display in
graphics mode. This will leave
the user guessing what's wrong!
After reboot you will see a
message telling you to disable
all Virus Protection on your
system.
The solution should be simple.
Just Disable the Virus Warning
via the CMOS SETUP before
installing Windows 95/98.
There are however BIOSs where
this is not possible!
I have had reports from the AMI 11/11/92 BIOS but most reports come from specific OEM versions of the Award Modular BIOS v4.50, v4.50G, v4.50PG, and v4.51PG.
Solution 1.
For the Award Modular BIOS, I have written a program to restore your control over the BIOS Virus Protection. You can download it here; it is called VIRWARN (5.4 KB ZIPfile).The program is now at version 1.2 (10/10/97) and comes with a text-file with more information.
VIRWARN is unable to control the Virus Warning feature on non-Award BIOSs, but it will allow you to test for an active Virus Warning on all BIOS brands.
Solution 2.
To install Windows 95/98 in case you do not have an Award BIOS or if my Virwarn program is not able to switch the Virus Warning off, you need this workaround.- Use the undocumented command Setup /ir to prevent Win95/98 setup from writing to the Boot Areas
- Create an Emergency disk during installation (you will be prompted)
- Boot from this disk when Setup has finished
- From the A:\> prompt give the command SYS C: and type 'Y' to accept the modification of the Boot Sector if the Virus Warning pops-up.
- Remove the Emergency disk. You should now be able to boot and run Windows 95/98 from your harddisk.
Some final remarks
The Boot sector Virus Warning feature of the BIOS will only warn you of write actions to the Master Boot Record or to the DOS Boot Record on your C: drive.Programs that write to these areas are a/o Boot Sector Viruses, the Setup program of Operating Systems, the Install program of Disk Manager/EZ-Drive, disk repair utilities, boot managers, and the DOS programs Fdisk and Format.
The BIOS Virus Warning is only
intended to protect these vital
disk areas against the mentioned
viruses and you should switch it
OFF when (re-)installing a new
operating system or harddisk.
Also use other anti-virus
software/hardware to protect
your system against other kinds
of viruses!
Note that with Windows 95/98
running the BIOS Virus Warning
does not work because this OS
uses its own protected mode
diskdriver and the BIOS harddisk
interface is not used anymore
(except in safe or compatibility
mode).
On the issue of Boot Sector
Virus protection in Windows 95
you may like to read the
Microsoft Knowledge Base
article: Q143281.
Back
to the Index page
Warning: If
you are not completely
comfortable with the following
procedure, do not attempt it.
Any mistakes you make can lead
to the loss of data or cause
your computer to malfunction. Do
not use the fdisk utility
to repair your Master
Boot Record if
you are using any of the
following:
- Windows XP
- Windows NT
- Windows 2000
- Unix
- Linux
- Third-party boot partition programs (e.g., System Commander, PartitionMagic)
- Multiboot systems that require you to choose the operating system during the boot-up process
Entering fdisk
/mbr may
erase important boot sector
information, render your hard
disk unusable, and result in the
loss of data. Contact the
manufacturer's support personnel
to determine the problem and the
correct solution.
Repairing the Master Boot Record
Damage to the Master Boot Record can occur because of virus activity, problems installing software, or errors during system installation. Some symptoms of a problem are:
- When you boot your PC, you get a message stating that setup was not completed for a program.
- Your computer hangs. It does not produce the DOS prompt or an opening screen.
If you are running DOS 5.0 or
later, Windows
95, Windows
98, or Windows
Me, you can use the fdisk utility
to try to repair the Master Boot
Record. When you use fdisk with
the mbr parameter,
the Master Boot Record is
rewritten to the hard disk
without altering the partition
table information on the disk.
To run this utility, follow
these steps:
-
Boot your PC
with a bootable
floppy that has
the
fdiskprogram on it. See the Knowledge Base document ARCHIVED: In Windows 95, 98, or Me, how do I make a startup (system recovery) disk? -
At the DOS
prompt, enter:
fdisk /mbr
This activates the hard drive for a short time. A new DOS prompt will appear. - Remove the floppy and reboot.