ARCHIVED: What are boot sector viruses, and how can I prevent them?
On this page:
What boot sector viruses do
Boot sector viruses infect or substitute their own code for either the DOS boot sector or the Master Boot Record (MBR) of a PC. The MBR is a small program that runs every time the computer starts up. It controls the boot sequence and determines which partition the computer boots from. The MBR generally resides on the first sector of the hard disk.
Since the MBR executes every time a computer is started, a boot sector virus is extremely dangerous. Once the boot code on the drive is infected, the virus will be loaded into memory on every startup. From memory, the boot virus can spread to every disk that the system reads. Boot sector viruses are typically very difficult to remove, as most antivirus programs cannot clean the MBR while Windows is running. In most cases, it takes bootable antivirus disks such as a Symantec/Norton AntiVirus (SAV/NAV) rescue set to properly remove a boot sector virus.
Some common boot sector viruses include Monkey, NYB (also known as B1), Stoned, and Form.
A boot sector virus can cause a variety of boot or data retrieval problems. In some cases, data disappear from entire partitions. In other cases, the computer suddenly becomes unstable. Often the infected computer fails to start up or to find the hard drive. Also, error messages such as "Invalid system disk" may become prevalent.
How they spread
Boot sector viruses are usually spread by infected floppy disks. In the past, these were usually bootable disks, but this is no longer the case. A floppy disk does not need to be bootable to transmit a boot sector virus. Any disk can cause infection if it is in the drive when the computer boots up or shuts down. The virus can also be spread across networks from file downloads and from email file attachments. In most cases, all write-enabled floppies used on an infected PC will themselves pick up the boot sector virus.
In the past, setting the computer to boot first from the
C: (hard) drive and then the
drive, or never to boot from the
A: drive at all, was a
reasonable precaution against boot sector viruses. This is no longer
the case, as viruses are now more dangerous and spread in more ways.
You can configure some CMOS setups to prevent writing to the boot sector of the hard drive. This may be of some use against boot sector viruses. However, if you need to reinstall or upgrade the operating system, you will have to change the setting back to make the MBR writable again.
For more information on boot sector viruses and viruses in general, see:http://www.faqs.org/faqs/by-newsgroup/comp/comp.virus.html
Precautions and damage control
Prevention is usually a matter of vigilance and avoiding contact with unknown disks. The following suggestions will help keep your systems and data safe:
- The best protection against boot sector viruses is the same as
against viruses in general: a good antivirus program with up-to-date
virus definitions. Antivirus programs do two key things:
- Scan for and remove viruses in files on disks
- Monitor the operation of your computer for virus-like activity and look for known actions of specific viruses or general suspicious activity
Note: The University Information Security Office (UISO) recommends that you run the latest version of Symantec virus protection software (available to IU students, faculty, and staff free of charge via IUware) for your operating system; See In Windows, how do I safely upgrade to the latest security software? Be sure to upgrade safely, update your virus definitions daily, and scan your computer weekly. Check the software help for instructions.
- Back up your files, so that you can restore them if a virus
Note: If you back up a file that is already infected with a virus, you can re-infect your system by restoring files from the backup copies. Check your backup files with virus scanning software before using them.
- Keep your original application and system disks locked
(write-protected). This will prevent a virus from spreading to your
- If you must insert one of your application floppy disks into an
unknown computer, lock it first. Unlock your application disk only
after verifying that the computer is free of viruses.
- Obtain public-domain software from reputable sources. Don't
download software directly to a hard disk. Rather, save it to a floppy
disk, lock the floppy disk, and check it thoroughly using reputable
virus detection software. Don't copy it to your hard disk until you
know it is safe. This can also help protect you from
Trojan horse programs.
- Quarantine any infected computer. If you discover that a computer is infected with a virus, immediately isolate it from other computers. In other words, disconnect it from any network it is on. Don't allow anyone to copy or move files from it until the entire system has been reliably disinfected.
Some of this information was adapted from an article in the UITS publication Computing Times Online.
Last modified on August 30, 2010.