Possible Damage Due to Boot Record Virus Infection

Hard drives still can become infected with boot record viruses by booting off of an infected floppy disk. Boot record viruses infect hard drive boot records by relocating the original boot record to a new, and hopefully unused, location in the partition, and then replacing the original boot record with the viral boot record. Usually, boot record viruses place the original, uninfected boot record at the end of the infected drive.

Depending on what type of file system is being used on the Windows NT boot partition, different problems may arise.

Damage Due to Boot Record Virus Infection on FAT Systems

If the virus places the original boot record at the end of the drive and doesn’t take steps to protect this sector, Windows NT may inadvertently overwrite the saved boot record. This will cause the system to crash during bootup. The same behavior can also be observed under DOS and Windows 95.

If the virus doesn’t maintain the BPB (BIOS parameter block) section of the boot record and relies upon stealth functionality to properly provide this information to DOS, Windows NT will have difficulty accessing the drive once the protected-mode disk drivers are utilized.

Damage Due to Boot Record Virus Infection on NTFS or HPFS Systems

On bootable NTFS partitions, Windows NT places a “bootstrap” operating system loader program on the sectors immediately following the NTFS boot record. After the MBR loads and executes the Windows NT boot record during system bootup, it immediately rereads itself and these additional bootstrap sectors into memory and transfers control to them. The NTFS boot sector and these additional sectors comprise a bootstrap program that can load and launch the bulk of the Windows NT operating system.

If a boot record virus infects the NTFS boot record, it overwrites the first sector of the multi-sector bootstrap program, causing important routines and data to be lost. Consider the NTFS bootup process with a boot record infection: During the NTFS bootup, the uninfected MBR loads and transfers control to the viral boot record of the active NTFS partition. The virus then installs itself in memory and transfers control to the original NTFS boot record, which is retrieved from the end of the logical or physical drive where the virus stored it. At this point, a small routine in the NTFS boot record attempts to load the entire NTFS bootstrap program (which is comprised of what should be the original NTFS boot record and the following sectors). However, the first sector of the bootstrap program has been overwritten by the body of the virus. Thus, a corrupted copy of the bootstrap program is loaded and executed. This results in a system crash and Windows NT fails to start up.

The bottom line is that most boot record viruses cause an NTFS-based, Windows NT system to crash during bootup. However, if the boot record virus has stealthing capabilities, Windows NT may be able to properly load. Bootup takes place before Windows NT loads and does not utilize its own protected mode disk drivers; in other words, the standard BIOS disk services, and any resident computer virus that has hooked into these services, are used by the NTFS boot record to load the bootstrap program from the hard drive. If the virus has stealth capabilities, when the Windows NT boot record uses these BIOS/virus services to load the NTFS bootstrap program, the virus can hide the infected boot record and correctly load the original NTFS boot record along with the other bootstrap sectors. Once the proper bootstrap program has been loaded, Windows NT can boot up normally.

Windows NT Installation with Existing Boot Record Infection

Windows NT can be installed within an existing DOS/Windows 95 FAT-based partition, giving the user the option of either booting into Windows NT or into the old DOS or Windows 95 operating system. Windows NT provides this dual-boot service by making a backup copy of the DOS/Windows 95 boot record during its installation, and saving this backup copy to a file called BOOTSEC.DOS. Windows NT then replaces the boot sector of the FAT-based drive with the Windows NT boot sector.

Each time the user reboots the system, the Windows NT loader asks the user which operating system to start. If the user requests a bootup into DOS or Windows 95, then the Windows NT loader loads and executes the original boot record contained in the BOOTSEC.DOS file and boots the computer into a standard DOS/Windows session.

Unfortunately, if the boot record of the DOS/Windows 95 partition was infected with a virus before Windows NT was installed, a copy of this virus is placed within the BOOTSEC.DOS file during installation. Consequently, each time the user boots the system into DOS or Windows 95, the virus gains control of the system. In addition, because the virus isn’t located within the boot record of the drive, it can’t be detected by Windows NT-unaware antivirus tools.

MBR and Boot Record Viruses—The Bottom Line

Viruses such as Michelangelo and One-half can cause damage during bootup but are completely disabled after Windows NT starts using its protected-mode disk drivers. Infections of floppy disks or files (in the case of a multipartite virus) are prevented in all instances. Viruses that don’t save the boot record’s BPB information or the MBR’s partition table may prevent NT from booting or make certain drives inaccessible. Furthermore, all nonstealthing boot record viruses (such as the Form virus) that infect bootable NTFS partitions will corrupt the operating system bootstrap loader and cause Windows NT to crash during bootup. When booting from an infected floppy disk, buggy virus infection mechanisms may also cause data loss under all three file systems supported by NT.