Before discussing what a boot sector virus does, let’s first take a look at what a boot sector is. A floppy disk or hard drive is comprised of many segments and clusters of segments, which (in the case of a hard drive) may be separate by partitions. There has to be a way to find all the data spread across these segments, hence the boot sector operates as a virtual rendition of a library’s Dewey Decimal system. Each disk also has a Master Boot Record or (MBR) that locates and runs the first of any necessary operating system files needed to facilitate operation of the disk. When a disk is read, it first seeks the MBR, which then passes control to the boot sector, which in turn provides pertinent information regarding what is located on the disk and where it is located. The boot sector also maintains the information that identifies the type and version of the operating system the disk was formatted with.
This is a highly simplistic overview of the boot sector function, but it serves our purpose well as it underscores the critical nature of the MBR and boot sector.
Obviously, a boot sector or MBR virus that invades this space on the disk puts the entire operation of that disk at risk.
A boot sector virus is spread via infected floppy disks. This typically occurs when users inadvertently leave a floppy disk in drive A. When the system is next started, the PC will attempt to boot from the floppy. If the disk is infected with a boot sector virus, that virus will infect the boot sector of the user’s local drive (C). Unless the floppy disk happens to be a bootable system disk, the user will simply see a standard warning that the drive contains a “non-system disk or disk error” and the user will be prompted to “replace the disk and press any key when ready”.
This is a standard error message and is not in and of itself indicative of a boot sector infection. All it means is that a non-bootable disk is contained in the drive the computer is first trying to boot from.
Most users will realize a floppy has been left in the drive, remove it, and reboot the system, unaware they may have just infected their system with a boot sector virus. Of course, if the disk was bootable, they would not receive the error noted above, but will simply be booted to a DOS screen.
Care should be taken to ensure that any bootable floppies have been checked for the presence of boot sector viruses and these disks should be write-protected to ensure no future infection takes place.
Even non-bootable disks can spread a boot sector infection when they are accessed. Further, a boot sector infected hard drive will also infect any floppies used in the system. Where applicable, use write-protected floppies to protect against this.
To write-protect a floppy disk, hold it so that the metal plate is facing downwards. Along the top edge there may be an “open” square. Look closely and you will find a small cover that can be pushed back and forth over the open square. If the cover is closed, i.e. the square is covered, the disk can be written to. If the cover is open, i.e. the square is not covered, the disk cannot be written to and is considered write-protected.
Of course, you would not want to write-protect floppies you use to copy files to, as you would receive a write protection error the next time you attempted the copy.
Most of today’s PCs no longer seek out the floppy drive during bootup, instead using the CD-ROM drive as the first boot device. This can be configured via the system CMOS screen to change the boot sequence to check the hard drive first, the CD-ROM drive second, and the floppy drive third, if at all.
Changing settings in CMOS incorrectly can result in system failure and should not be attempted by inexperienced users. Instructions for accessing the CMOS configuration screen for your PC can generally be found in the motherboard manual.
The first boot sector virus was discovered in 1986. Dubbed Brain, the virus originated in Pakistan and operated in full-stealth mode, infecting 360Kb floppies.
Perhaps the most infamous of this class of viruses was the Michelangelo virus discovered in March 1991. Michelangelo was a MBR and boot sector infector with a March 6th payload overwriting critical drive sectors. Michelangelo was the first virus to attract a large amount of media focus.