[Intel Navigation Header]

    LANDesk(R) Virus Protect: How to Clean a Boot Sector Virus

    
    

    HOW TO CLEAN A BOOT SECTOR VIRUS

    
       Symptoms and Behavior of most boot sector viruses:
    
    
    
       Most boot sector viruses can only be transferred from floppy to hard
    
       drive or hard drive to floppy.  A floppy or hard drive with an infected
    
       boot sector will not infect any files, and cannot spread to the server
    
       or over the network.  The only way an infected floppy can infect a hard
    
       drive is if you attempt to boot from the infected floppy.  The floppy
    
       does not have to be bootable to be able to infect the hard drive.  If a
    
       computer is booted from an infected floppy or hard drive, most boot
    
       sector viruses will load their code into memory so all floppy disks
    
       which are inserted and accessed on that computer will also become
    
       infected.  Typical signs of a boot sector virus are receiving an error
    
       message when trying to enter Windows that says it can't use the 32-bit
    
       disk access, and having less than 655,360 Total bytes memory when CHKDSK
    
       is run.
    
    
    
       NOTE:     There are boot sector viruses which also infect files.  These
    
                 are called "multipartite" viruses.  There are not many of
    
                 these type, but the most common multipartite viruses are
    
                 probably Junkie, Natas, One_Half, & Tequila.
    
    
    
       If you have a rescue diskette generated by VPRULE, do the following:
    
    
    
         1. If you have made a rescue disk for the computer you are trying to
    
            clean, which contains RESCUE.COM and VPRULE.RES, insert the rescue
    
            disk and run "RESCUE."
    
    
    
         2. If the disk does not contain RESCUE.COM, from any work station copy
    
            RESCUE.COM onto the rescue disk.  RESCUE.COM can be found in the
    
            VPROTECT directory or in the VPROTECT.PC directory, or the
    
            directory where your LANDesk Virus Protect files reside. 
    
    
    
            (Note: A rescue disk from another computer should not be used
    
            unless you are absolutely sure that the partition tables and DOS
    
            versions are identical on both computers - any variation in
    
            partition table information will likely wipe out the hard drive.)
    
    
    
            If you do not have a rescue diskette, most boot sector viruses can
    
            be cleaned with the methods described below, without the loss of
    
            any data.
    
    
    
            Since the effects of some viruses can be unpredictable, you should
    
            backup the data on your hard drive whenever possible.  Boot sector
    
            viruses can be cleaned with the DOS "SYS.COM" program, and MBR
    
            viruses can be cleaned with an undocumented option of FDISK.EXE. 
    
            If you do not know which type of virus you have, you can try both,
    
            in the order presented below.  If you have floppies that are
    
            infected with boot sector viruses, you can copy the files off the
    
            disk and reformat them (on a clean workstation) with the FORMAT /S
    
            /U, and then copy the files back to the floppy (assuming the files
    
            are not infected).
    
    
    
       Cleaning a Boot Sector Virus
    
    
    
       It is critical that all the steps are followed exactly as described
    
       below.
    
    
    
         1. Obtain a clean, bootable, write-protected floppy disk which
    
            contains the same version of DOS as the machine you are attempting
    
            to clean.  Copy SYS.COM and FDISK.EXE to this floppy.
    
    
    
         2. Make sure the CMOS setting is to boot from the A: drive. Power off
    
            the computer, insert your bootable floppy, and power on the
    
            computer.
    
    
    
         3. At this point, it is critical that you verify that the partition
    
            table has not been damaged.  To check this, type DIR for each disk
    
            partition. If the drive has just one partition just type DIR C:.
    
            You should see the listing of files in the C:\  directory.  If you
    
            cannot access your C: drive (or other disk partitions), it is
    
            likely you have a damaged partition table.  If this is the case,
    
            the partition table needs to be repaired before you can attempt to
    
            clean the virus.  A utility such as Norton Disk Doctor may be
    
            helpful. 
    
    
    
            NOTE:   If you have a compressed drive, you will probably not be
    
                    able to see the hard drive unless you include the drivers
    
                    for your compression software on your boot floppy.
    
    
    
         4. From the A: prompt type:   SYS C:  
    
    
    
            (This will transfer the 2 hidden system files and command.com.  It
    
            will also overwrite the boot sector where the virus may reside - at
    
            the first relative sector of the partition).
    
    
    
         5. Once the DOS prompt returns, scan the drive again to see if the
    
            virus has been removed.
    
    
    
         6. If the virus is still present, repeat steps 2 and 3 above, then
    
            from the A: prompt type:
    
    
    
            FDISK /MBR
    
    
    
            (This will write new code to the master boot record at the first
    
            physical sector of the drive, and overwrite any virus code
    
            present.)
    
    
    
         7. Once the DOS prompt returns, scan the drive again to see if it is
    
            clean.
    
    
    
         8. As a last step, power off the computer, remove the boot floppy, and
    
            turn the power back on.  Scan the drive for viruses to ensure that
    
            it is now clean.
    
    

    Trademark information