How to collect Master Boot Record for submission to Symantec Security Response

Article:TECH93277  |  Created: 2009-01-02  |  Updated: 2014-10-13  |  Article URL http://www.symantec.com/docs/TECH93277
Article Type
Technical Solution


Issue



You have reason to suspect a Master Boot Record (MBR) threat has compromised their computer, and want to know how to collect the MBR for analysis by Symantec Security Response.


Solution



Either a Symantec tool called MBRUtil or a Microsoft tool called Sector Inspector should be able to gather the required data.

MBRUtil
Originally developed by PowerQuest, Symantec's tool MBRUtil can be run to collect the MBR data for forwarding to the Security Response team. This tool has been tested on Windows XP, Windows Vista and Windows Server 2003.

Detailed steps:

1. Download ftp://ftp.symantec.com/public/english_us_canada/tools/pq/utilities/head.zip and save it to the root of the local hard drive. Unzip head.zip to extract the contents.

2. Open a command prompt and run this command:

C:\> MBRUtil /S=MyMBR.dat

3. A file named MyMBR.dat will be created in the C:\ drive. Upload this file to our submission server, using the appropriate link based on support entitlement.  (See the Connect article Symantec Insider Tip: Successful Submissions! for additional advice.)

4. Contact Symantec Technical Support for further assistance or to learn the correct submission portal. Provide Technical Support with the tracking number of the Security Response submission.

Sector Inspector
Microsoft has a free tool called Sector Inspector (secinspect.exe) that can be run to collect the MBR data for forwarding to the Security Response team. It is the best alternative for customers who do not wish to use Symantec's tool.
Details can be found at http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=DD3EF22A-A586-4079-9489-C3EA14573FC4

Detailed steps:

1. Download the Sector Inspector tool from Microsoft. Install the Sector Inspector software on the computer where the Master Boot Record is suspected to be infected. The default location that it installs to is: C:\Program Files\Windows Resource Kits\Tools

2. Open a command line. Navigate to the above directory. Do a DIR and verify that you scan see “secinspect.exe” in the folder.

3. Run this command line. This will just copy sector 0 (The MBR is in the first 512b) :


    secinspect -backup PhysicalDrive0 mbrsect.dsk 0 10


4. Upload this MBR (the resulting “mbrsect.dsk” file located in “C:\Program Files\Windows Resource Kits\Tools”) to our submission server, using the appropriate link based on support entitlement:

5. Contact Symantec Technical Support for further assistance or to learn the correct submission portal. Provide Technical Support with the tracking number of the Security Response submission.

NOTE: In some cases, MBR viruses can disguise the infected MBR if the virus is in memory (i.e. you booted from the infected drive) while taking this sample. The virus may intercept the disk read request and may report a normal MBR instead of the actual MBR that is in place. In these cases it is best to repeat steps 3-4 again, but after booting from a known clean source. You may need to copy the SECINSPECT.EXE to the bootable source (floppy or CD).


Supplemental Materials

Value1630054, 1028730


Legacy ID



2009040313251248


Article URL http://www.symantec.com/docs/TECH93277


Terms of use for this information are found in Legal Notices