![[Intel Navigation Header]](/CONTENT/PIX/HEADER.GIF)
LANDesk(R) Virus Protect: How to Clean a Boot Sector Virus
HOW TO CLEAN A BOOT SECTOR VIRUS
Symptoms and Behavior of most boot sector viruses:
Most boot sector viruses can only be transferred from floppy to hard
drive or hard drive to floppy. A floppy or hard drive with an infected
boot sector will not infect any files, and cannot spread to the server
or over the network. The only way an infected floppy can infect a hard
drive is if you attempt to boot from the infected floppy. The floppy
does not have to be bootable to be able to infect the hard drive. If a
computer is booted from an infected floppy or hard drive, most boot
sector viruses will load their code into memory so all floppy disks
which are inserted and accessed on that computer will also become
infected. Typical signs of a boot sector virus are receiving an error
message when trying to enter Windows that says it can't use the 32-bit
disk access, and having less than 655,360 Total bytes memory when CHKDSK
is run.
NOTE: There are boot sector viruses which also infect files. These
are called "multipartite" viruses. There are not many of
these type, but the most common multipartite viruses are
probably Junkie, Natas, One_Half, & Tequila.
If you have a rescue diskette generated by VPRULE, do the following:
1. If you have made a rescue disk for the computer you are trying to
clean, which contains RESCUE.COM and VPRULE.RES, insert the rescue
disk and run "RESCUE."
2. If the disk does not contain RESCUE.COM, from any work station copy
RESCUE.COM onto the rescue disk. RESCUE.COM can be found in the
VPROTECT directory or in the VPROTECT.PC directory, or the
directory where your LANDesk Virus Protect files reside.
(Note: A rescue disk from another computer should not be used
unless you are absolutely sure that the partition tables and DOS
versions are identical on both computers - any variation in
partition table information will likely wipe out the hard drive.)
If you do not have a rescue diskette, most boot sector viruses can
be cleaned with the methods described below, without the loss of
any data.
Since the effects of some viruses can be unpredictable, you should
backup the data on your hard drive whenever possible. Boot sector
viruses can be cleaned with the DOS "SYS.COM" program, and MBR
viruses can be cleaned with an undocumented option of FDISK.EXE.
If you do not know which type of virus you have, you can try both,
in the order presented below. If you have floppies that are
infected with boot sector viruses, you can copy the files off the
disk and reformat them (on a clean workstation) with the FORMAT /S
/U, and then copy the files back to the floppy (assuming the files
are not infected).
Cleaning a Boot Sector Virus
It is critical that all the steps are followed exactly as described
below.
1. Obtain a clean, bootable, write-protected floppy disk which
contains the same version of DOS as the machine you are attempting
to clean. Copy SYS.COM and FDISK.EXE to this floppy.
2. Make sure the CMOS setting is to boot from the A: drive. Power off
the computer, insert your bootable floppy, and power on the
computer.
3. At this point, it is critical that you verify that the partition
table has not been damaged. To check this, type DIR for each disk
partition. If the drive has just one partition just type DIR C:.
You should see the listing of files in the C:\ directory. If you
cannot access your C: drive (or other disk partitions), it is
likely you have a damaged partition table. If this is the case,
the partition table needs to be repaired before you can attempt to
clean the virus. A utility such as Norton Disk Doctor may be
helpful.
NOTE: If you have a compressed drive, you will probably not be
able to see the hard drive unless you include the drivers
for your compression software on your boot floppy.
4. From the A: prompt type: SYS C:
(This will transfer the 2 hidden system files and command.com. It
will also overwrite the boot sector where the virus may reside - at
the first relative sector of the partition).
5. Once the DOS prompt returns, scan the drive again to see if the
virus has been removed.
6. If the virus is still present, repeat steps 2 and 3 above, then
from the A: prompt type:
FDISK /MBR
(This will write new code to the master boot record at the first
physical sector of the drive, and overwrite any virus code
present.)
7. Once the DOS prompt returns, scan the drive again to see if it is
clean.
8. As a last step, power off the computer, remove the boot floppy, and
turn the power back on. Scan the drive for viruses to ensure that
it is now clean.
Trademark information