Video Screencast Help
Security Community Blog

Learn about the Boot Sector virus

Created: 23 Sep 2010 • 1 comment
mon_raralio's picture
+2 2 Votes
Login to vote

What is a sector?

Before we begin, we must first determine what is a sector. A sector is a subdivision of a drive. The term is derived from the mathematical term for a portion of a circle (an arc) that is enclosed by 2 radii or lines from the center to the edge of a circle. So in computer storage terms, a sector is an an arc where data is written. Note: Drawing is not by best work.
 
So, what and where is a boot sector?
 
In order for a PC to be useable, it need to powerup and boot.And the PC has 2 stages of booting up.The first stage boot loader is the BIOS. This is so that all the primary hardwares would come online and be able to communicate with one another. This also contains instructions on which hardware - usually a storage device - to access to get to the second stage of the boot process. The second stage boot loader is used to be able to load the OS. Two examples are the NTLDR.exe and GRUB.
 
These are some of the files you shouldn't be messing with:
 
The boot sector contains the data on how the computer hardware will process the data contained in the media. Think of it as a form of encryption where the key is in the front. This will give information on how to decrypt/read the data that follows. It also contains partition information on how a disk is separated into "slices", like spaces between words. Otherwise,you'dhaveahardtimecomprehendingwhatiswritten.:D
 
If you're looking for a more technical explanation...Here goes. On IBM PC compatible machines, the BIOS is ignorant of the distinction between Volume Boot Records (VBR) and Master Boot Records (MBR), and of partitioning. The firmware simply loads and runs the first sector of the storage device. If the device is a floppy or USB flash drive, that will be a VBR. If the device is a hard disk, that will be an MBR. It is the
code in the MBR which generally understands disk partitioning, and in turn, is responsible for loading and running the VBR of whichever primary partition is set to boot (the active partition). The VBR then loads a second-stage bootloader from another location on the disk.
 
About the virus...
 
Whatever is stored in the first sector of a bootable storage device (floppy diskette, USB device, hard disk), is not required to immediately load any bootstrap code for an OS, if ever. The BIOS merely passes control to whatever exists there, as long as the sector meets the very simple qualification of having the boot record signature of 0x55, 0xAA in its last two bytes. This is why it's easy to replace the usual bootstrap code found in an MBR with more complex loaders, even large multi-functional boot managers (programs stored elsewhere on the device which can run without an operating system), allowing users a number of choices in what occurs next. With this kind of freedom, abuse often occur in the form of boot sector viruses.
 
What does that mean? It is basically an indicator to tell the hardware what type of device it is communicating with and how the data is to be read and written on. It then accesses certain instructions from files and what follows next is [place your virus here] and then finally the OS in all its glory! So a Boot Sector Virus, in order to propagate, must first be loaded into memory by following the instructions written in the infected boot sector and has instructions to write itself on the next media. For a malware working from the OS or application side to be able to infect the boot sector, it must have low level programming or it would have a hard time to propagate to that area. But since, NTLDR is readily accessible from explorer or MS-DOS. All you have to do is to have write access to system files.
 
"I has virus. Pls remove. Thx."
 
So how do you remove this sort of malware without reformatting the hard drive?
 
Here's a procedure for a Windows XP OS:
 
 1. Insert the Windows XP CD-ROM into the CD-ROM drive.
 2. Restart the computer from the CD-ROM drive.
 3. Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
 4. Select the installation that you want to access from the Recovery Console.
 5. Enter the administrator password and press Enter.
 6. Type the following command and press Enter:
                        fixmbr
 7. Following the onscreen instructions to restore the Master Boot Record.
 8. Type exit
 9. Press Enter. The computer will now restart automatically.
 
The general rule here is to get the first media with a set of instructions (and has a clean MBR!) to load itself. And using the instructions contained therein, to overwrite the MBR of the next storage media.
 
Finally, other applications that you may use are the following:
- Fdisk by Microsoft (C:\fdisk /mbr - will overwrite the MBR)
- TestDisk by Christophe Grenier at CGSecurity.org (Check their website)
- MBRWizard by MBRWizard now Firesage (Up to ver 2 is still free, you have to pay for ver 3 with the nice GUI)
 
There are few MBR virus out in the wild. Most are probably remnants and mutations of the Disk OS days. The probable reason behind this is that most malware writers are too busy exploiting Internet sites, commercial apps and OSs, and Spamming where real (and illegal, and possibly harmful) profit can be made. But still, this can still pose as a threat especially if combined with other types of malwares out there. But the knowledge presented could hopefully help in removing them safely and with minimal risk.
 
Cheers.

Comments 1 CommentJump to latest comment

mickmbs's picture

found very informative... I hope i'll get these types of blogs again.

software billions club review
http://www.softwarebillionsclubreview.com

-1
Login to vote