|
|
| Previous | Table of Contents | Next |
The best way to prevent against FBR, MBR, and PBR viral infection is to alter the bootup sequence in the computer’s CMOS configuration. Most PCs allow the user to specify whether the computer should boot from a floppy disk if one is present in drive A:. The user should update this CMOS option so that the computer always boots from the hard drive, even if a floppy disk is present in drive A:. Because FBR viruses can gain control and infect the hard drive only if the computer boots from an infected floppy disk, changing this option completely prevents MBR, PBR, and subsequent FBR infections.
Scanning all incoming floppy disks with your favorite virus scanner also is wise, because it will detect a majority of the FBR virus infections before your computer can become infected.
How to Repair Infected Floppy Disks
Several easy techniques can be used to repair infected floppy disks without using an antivirus program.
Note: If the virus has corrupted the directory structure of the disk, use a program such as the Norton Disk Doctor to repair any damage, in addition to removing the virus.
Technique 1: Repairing a Floppy Boot Disk
If the infected floppy disk in question is bootable, as is any floppy disk that contains COMMAND.COM, MSDOS.SYS, or IO.SYS, the floppy disk can be repaired using the standard DOS SYS command. Locate an uninfected computer with the same version of DOS as the one that resides on the infected floppy disk. Insert the floppy disk in the floppy drive and issue a SYS A: (or SYS B:) command. This reinstalls the relevant DOS system files on the floppy disk and also overwrites the bootstrap contents of the FBR. In so doing, the virus’ bootstrap routine is overwritten.
Technique 2: Repairing a Standard Floppy Disk
Take the infected floppy disk to an uninfected machine and copy each of the infected files from the floppy disk to a temporary directory on the hard drive. Be sure not to boot from the infected floppy disk! Reformat the floppy disk using an unconditional DOS format command “FORMAT A: /U” and then copy all the files back up to the floppy disk. Reformatting the floppy disk rewrites the boot record of the floppy disk, removing the virus’ bootstrap routine.
Technique 3: Repairing a Standard Floppy Disk
Obtain a floppy disk that is the identical size and capacity of the infected floppy disk. Make sure that the two floppy disks match exactly; in other words, if your virus-infected floppy disk is a 720 KB, 3 ½-inch floppy disk, do not obtain a 1.44 MB, 3 ½-inch floppy disk (or you risk losing all data on the floppy disk).
Use a disk editor such as the Norton Disk Editor to read the boot record from the uninfected floppy disk and write this boot record over the boot record on the infected floppy disk. Recall that the FBR is located in cylinder 0, side 0, sector 1. This operation replaces the boot record of the infected floppy disk, removing the viral bootstrap routine.
How to Repair an Infected MBR
Many users think that reformatting the hard drive can remove most boot record viruses from the hard drive. Although reformatting can remove PBR viruses, it cannot destroy the MBR virus. The most effective way to repair an infected MBR is to use the FDISK utility. The following technique works with almost all MBR viruses; however, use caution. Follow each of the steps exactly. Only use this technique on standard DOS/Windows 95, nonmultiboot systems.
How to Repair an Infected PBR
Do not attempt to repair PBR infections without an antivirus program. Today, many systems have fancy PBR bootstrap routines that provide multiboot and other capabilities. Attempting a by-hand repair most likely will result in negative consequences.
So How Do the Antivirus Programs Do It?
Most antivirus programs detect and repair FBR, MBR, and PBR viruses using their virus scanner component. Once the antivirus program knows the exact nature of the infection, including the virus type and strain, it can locate the original FBR, MBR, or PBR the virus stored and overwrite the infected boot record. This is possible because most viruses always store the saved boot record in a consistent location.
When repairing floppy disk infections or MBR infections, antivirus programs also can use other techniques. If it cannot find the original boot record, the antivirus program can overwrite the viral bootstrap routine in the infected boot record using a special generic bootstrap routine.
In the case of FBR viruses, this bootstrap routine is often designed to display a message similar to “Non-system disk error,” when the user boots from the floppy disk. The user can later make the floppy disk bootable by using the DOS SYS command. For this type of repair to work, the floppy disk’s BPB must be intact, because the antivirus program only replaces the bootstrap component of the FBR.
For MBR viruses, the antivirus program overwrites the viral bootstrap program with a simple replacement routine. This replacement works in the same fashion as the standard MBR bootstrap routine inserted by FDISK; however, it is written differently so as not to violate any copyright laws. For this type of repair to work, the hard drive’s partition table must be intact because the antivirus program only replaces the bootstrap component of the MBR.
| Previous | Table of Contents | Next |