Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

ARCHIVED: What are boot sector viruses, and how can I prevent them?

On this page:

What boot sector viruses do

Boot sector viruses infect or substitute their own code for either the DOS boot sector or the Master Boot Record (MBR) of a PC. The MBR is a small program that runs every time the computer starts up. It controls the boot sequence and determines which partition the computer boots from. The MBR generally resides on the first sector of the hard disk.

Since the MBR executes every time a computer is started, a boot sector virus is extremely dangerous. Once the boot code on the drive is infected, the virus will be loaded into memory on every startup. From memory, the boot virus can spread to every disk that the system reads. Boot sector viruses are typically very difficult to remove, as most antivirus programs cannot clean the MBR while Windows is running. In most cases, it takes bootable antivirus disks such as a Symantec/Norton AntiVirus (SAV/NAV) rescue set to properly remove a boot sector virus.

Some common boot sector viruses include Monkey, NYB (also known as B1), Stoned, and Form.

Symptoms

A boot sector virus can cause a variety of boot or data retrieval problems. In some cases, data disappear from entire partitions. In other cases, the computer suddenly becomes unstable. Often the infected computer fails to start up or to find the hard drive. Also, error messages such as "Invalid system disk" may become prevalent.

How they spread

Boot sector viruses are usually spread by infected floppy disks. In the past, these were usually bootable disks, but this is no longer the case. A floppy disk does not need to be bootable to transmit a boot sector virus. Any disk can cause infection if it is in the drive when the computer boots up or shuts down. The virus can also be spread across networks from file downloads and from email file attachments. In most cases, all write-enabled floppies used on an infected PC will themselves pick up the boot sector virus.

In the past, setting the computer to boot first from the C: (hard) drive and then the A: (floppy) drive, or never to boot from the A: drive at all, was a reasonable precaution against boot sector viruses. This is no longer the case, as viruses are now more dangerous and spread in more ways.

You can configure some CMOS setups to prevent writing to the boot sector of the hard drive. This may be of some use against boot sector viruses. However, if you need to reinstall or upgrade the operating system, you will have to change the setting back to make the MBR writable again.

For more information on boot sector viruses and viruses in general, see:

http://www.faqs.org/faqs/by-newsgroup/comp/comp.virus.html

Precautions and damage control

Prevention is usually a matter of vigilance and avoiding contact with unknown disks. The following suggestions will help keep your systems and data safe:

  • The best protection against boot sector viruses is the same as against viruses in general: a good antivirus program with up-to-date virus definitions. Antivirus programs do two key things:

    • Scan for and remove viruses in files on disks
    • Monitor the operation of your computer for virus-like activity and look for known actions of specific viruses or general suspicious activity

    Note: The University Information Security Office (UISO) recommends that you run the latest version of Symantec/Norton AntiVirus software (available to IU students, faculty, and staff for free via IUware) for your operating system, being sure to upgrade safely (see In Windows, how do I safely upgrade to the latest Symantec Endpoint or AntiVirus software?), and to update your virus definitions daily and scan your computer weekly. For instructions, see:


  • Back up your files, so that you can restore them if a virus damages them.

    Note: If you back up a file that is already infected with a virus, you can re-infect your system by restoring files from the backup copies. Check your backup files with virus scanning software before using them.

  • Keep your original application and system disks locked (write-protected). This will prevent a virus from spreading to your original disks.

  • If you must insert one of your application floppy disks into an unknown computer, lock it first. Unlock your application disk only after verifying that the computer is free of viruses.

  • Obtain public-domain software from reputable sources. Don't download software directly to a hard disk. Rather, save it to a floppy disk, lock the floppy disk, and check it thoroughly using reputable virus detection software. Don't copy it to your hard disk until you know it is safe. This can also help protect you from Trojan horse programs.

  • Quarantine any infected computer. If you discover that a computer is infected with a virus, immediately isolate it from other computers. In other words, disconnect it from any network it is on. Don't allow anyone to copy or move files from it until the entire system has been reliably disinfected.

Some of this information was adapted from an article in the UITS publication Computing Times Online.

This is document ahll in domain all.
Last modified on November 01, 2008.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.