How to Remove a Boot Virus
A boot virus infects the boot sector of a floppy disk, and may infect either the boot sector of the hard disk, the master boot sector of the hard disk, or neither. (Some viruses, such as Brain, only infect floppy disks.)
The boot sector of a floppy is located on the top of the diskette (side 0), the outside cylinder (cylinder 0), and the first sector (sector 1). In this sector you will normally find code called the boot record. A boot record is created whenever a disk is formatted (with FORMAT), regardless of the switches used. It is re-written whenever the disk is SYS'ed (with SYS). When a machine boots from a floppy disk, the heads of the drive automatically seek to cylinder 0. Then the controller tells the heads of the drive to read the code located on side 0, cylinder 0, sector 1. When the program in the sector is read, the code contained in it is executed. The code might be a healthy boot sector, and the boot continues. Or it might be a virus, which will execute, have its way with your computer, then transfer the computer to read the sector on the floppy where it has moved the original boot record.
On a hard disk, things are slightly more complicated. The hard disk begins to spin and the hard disk heads automatically seek to cylinder 0 when power is supplied to the drive. The hardware BIOS (in a ROM) gives control to the controller, and the hard disk controller tells the hard disk heads to read side 0, cylinder 0, sector 1 - the master boot sector. Normally, this sector contains a program called the master boot record, which uses a small database within it called the partition table. Sometimes the master boot sector contains a boot virus, which loads and executes, and then gives control to the master boot record code, which the virus has moved to another sector.
The purpose of a master boot record is to tell the computer about its various drives, and to transfer control to the next sector that should be read. This will normally be the boot record on one of the partitions. (Since we never partition a floppy disk into one or more drives, we do not need a master boot record on the floppy.)
Boot viruses that are active in your computer's memory will generally infect all floppy disks placed in drive A: if the diskette has ever been formatted, if it is not write-protected, and if the disk is not already infected with that virus. Some boot viruses will only infect a particular capacity (eg. 1.44 Mb floppies), a particular size (eg., 3.5"), a particular floppy drive (eg., A:), or some combination (eg., any 720K or 1.44 Mb floppy placed in A:).
When a virus like Stoned infects a hard disk, it follows these steps:
If You are Now Certain You Have a Virus
It has been a lot of work getting to this paragraph, but if you have been able to prove you have a false alarm, you need not read on.
If you are certain that you have a virus, there are some actions you must take. Before doing anything, consider the goals I propose below for your action plan:
Quick Diagnostics And Identification
Is It A Boot Virus Or A File Virus Or Both
If A Boot Virus, Is It Stealth Or Not?
Is The Virus Common Or Rare?
Summon the swat team. You should have already assembled on paper a group of virus-busting volunteers - folks happy to stay up late killing viruses. Perfect members of the team are energetic power users who care about your organization and understand users as well as corporate goals. You should have already figured out two or more mechanisms for summoning the Swat Team. For instance, if the network goes down, your e-mail system does too. Team members should carry the phone numbers (home and work) of other team members in their wallets.
Prevent the spread of the virus. We would recommend a general announcement: "Virus Alert: No diskette is to leave the building" This previously prepared sign can be placed on doors. If the network is still up, send the same message to all network users)
Cease use of the infected workstation(s). Hang a previously prepared sign on the monitor that the machine is infected and must not be used. This will reduce the number of files and disks and servers that become infected, and make removal easier. This is particularly important if the virus must be removed by deleting files, for every file deleted will need to be replaced with an uninfected copy before users can be fully operational.
Before you Do a Major Scan of Machines, or Clean a Boot Virus, Learn More
Before you Clean a Boot Virus, Back it Up
Note: the advice in this section was inspired by my repeated observation of the failure of some products. MSAV and CPAV damaged floppies that it tried to remove Form from. McAfee's CLEAN v. 100 damaged hard disks that it tried to remove Michelangelo from...
How To Backup A Boot Virus
If the virus is on a floppy, write-protect the diskette, and use DISKCOPY to make another copy of the disk. Scan the destination disk to be sure the virus transferred (it should have, if you didn't do some accidental cleaning in the excitement.)
If the virus is on the hard disk, then it got there from floppy, and should be able to find its way back on to a floppy. Simply place a formatted floppy in drive A: (some boot viruses won't infect B:) and access the floppy a few times. Then scan the floppy to be sure the floppy is now infected.
Boot Viruses: Test Cleaning on Your Backup Copy
Can your product clean it at all? Take the diskette to a clean machine. Scan. If a virus is found, permit it to clean. Now scan again. Is it still infected?
If it is no longer infected, is it still usable? Is the disk accessible (or do you get General Failure Error Reading...)? Is the directory structure ok (use DIR to learn)? Are files damaged? (use COPY to learn).
If the diskette structure is damaged, was this caused by the virus or your product? If the product, get a new product and repeat this test cleaning before proceeding.
Boot Viruses: Test Cleaning of Hard Disk
Even though your cleaning of a floppy went fine, it doesn't mean that cleaning of a hard disk will go as smoothly. Floppies are not likely to be installed with doublespace, dualboot, and access control products entangled. Hard disks can be hard.
If you have several machines that are infected, go to the one you care least about, or that has been most recently been backed up. Or do a file-by-file backup to tape or Bernoulli or server if possible. (Boot viruses will not infect tape or server, might infect Bernoulli drives, will infect backups to floppy).
Boot from a clean write-protected floppy and run the remover against the hard disk.
Test your work: Does it still boot? If booted clean, does your scanner say it is virus-free?
Removing A Non-Stealth Boot Virus
Make Sure You Have A Backup Copy Of The Virus!
A Look At Cleaning By Standard Anti-Virus Programs
Some Troublesome Non-Stealth Boot Viruses
What To Do If The Original Sector Is Gone
Removing A Stealth Boot Virus
Stealth Boot Viruses
A stealth boot virus is like any other boot virus, except for one interesting characteristic: when you (or some software) asks the computer to examine a sector in which the virus is located, the virus "redirects" the software to instead view the original sector. Your anti-virus software believes it is examining the master boot sector, but it is actually examining the displaced master boot record. It doesn't find any problem, and moves on in its search for the virus.
A stealth boot virus can be easily seen by anti-virus software if the virus is not active in memory (if you have booted clean), or if you can disable the copy of the virus that is in memory.
I will describe here many ways to clean a boot virus. I recommend that you only use these methods if you are sure you have a boot virus (see above.)
If C: is an "Invalid Drive Specification" when booting from A:
Assuming that you do not have an access control product installed (which doesn't permit booting from A:), and assuming that you can boot from your hard disk just fine, you probably have a boot virus that has encrypted your master boot record.
If C: is Available after Booting Clean
You can assume that the virus is not Monkey, Frankenstein, or some other virus that encrypts the master boot record. It still may be a stealth boot virus.
Recovering From Damage Done By Cleaning Boot Viruses
If, either before or after removing a virus, you get "General failure error reading drive..." when trying to read a drive, the virus or anti-virus product has probably damaged the boot record of the drive. You can paste in a clean one with a disk editor such as Norton Utilities. Here's how:
Don't bother with SYS. In DOS 5+ (and probably earlier versions), SYS only writes the hidden system files and COMMAND.COM. Your boot record will still be infected!