How to collect Master Boot Record for submission to Symantec Security Response
|Article:TECH93277|||||Created: 2009-01-02|||||Updated: 2010-08-13|||||Article URL http://www.symantec.com/docs/TECH93277|
You have reason to suspect a MBR threat has compromised their computer, and want to know how to collect their Master Boot Record for analysis by Symantec Security Response.
Either a Symantec tool called MBRUtil or a Microsoft tool called Sector Inspector should be able to gather the required data.
Originally developed by PowerQuest, Symantec's tool MBRUtil can be run to collect the MBR data for forwarding to the Security Response team. This tool has been tested on Windows XP, Windows Vista and Windows Server 2003.
1. Download ftp://ftp.symantec.com/public/english_us_canada/tools/pq/utilities/head.zip and save it to the root of the local hard drive. Unzip head.zip to extract the contents.
2. Open a command prompt and run this command:
C:\> MBRUtil /S=MyMBR.dat
3. A file named MyMBR.dat will be created in the C:\ drive. Upload this file to our submission server, using the appropriate link based on support entitlement.
4. Contact Symantec Technical Support for further assistance or to learn the correct submission portal. ProvideTechnical Support with the tracking number of the Security Response submission.
Microsoft has a free tool called Sector Inspector (secinspect.exe) that can be run to collect the MBR data for forwarding to the Security Response team. It is the best alternative for customers who do not wish to use Symantec's tool.
Details can be found at http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=DD3EF22A-A586-4079-9489-C3EA14573FC4
1. Download the Sector Inspector tool from Microsoft. Install the Sector Inspector software on the computer where the Master Boot Record is suspected to be infected. The default location that it installs to is: C:\Program Files\Windows Resource Kits\Tools
2. Open a command line. Navigate to the above directory. Do a DIR and verify that you scan see “secinspect.exe” in the folder.
3. Run this command line. This will just copy sector 0 (The MBR is in the first 512b) :
secinspect -backup PhysicalDrive0 mbrsect.dsk 0 10
4. Upload this MBR (the resulting “mbrsect.dsk” file located in “C:\Program Files\Windows Resource Kits\Tools”) to our submission server, using the appropriate link based on support entitlement:
5. Contact Symantec Technical Support for further assistance or to learn the correct submission portal. ProvideTechnical Support with the tracking number of the Security Response submission.
NOTE: In some cases, MBR viruses can disguise the infected MBR if the virus is in memory (i.e. you booted from the infected drive) while taking this sample. The virus may intercept the disk read request and may report a normal MBR instead of the actual MBR that is in place. In these cases it is best to repeat steps 3-4 again, but after booting from a known clean source. You may need to copy the SECINSPECT.EXE to the bootable source (floppy or CD).
Article URL http://www.symantec.com/docs/TECH93277