Boot Sector Viruses

Boot sector viruses are now quite rare, but at one time they were the most common type of all. They relied on the fact that people used to copy data from machine to machine using floppy diskettes. And the fact that you could, and still can, start a PC from a floppy diskette.

To explain how a boot sector virus works I will have to get a little bit technical, but don't worry it's not that difficult.

When a PC is first switched on it carries out the same set tasks.

First it performs some simple diagnostics known as a Power On Self Test or POST.

Next it checks the CMOS to see where to look for the start up code, known as the bootstrap code. Normally the default is to check drive a: first, then the hard disk (drive c:) and finally the CD.

Then it will try and load the bootstrap code, which will in turn load the operating system.

Now the important bit is the bootstrap code. This is a small program that is at the beginning of every disk, including floppy diskettes, hard disks and bootable CDs. This small program does one of two things, depending upon weather it was loaded from a diskette or from a hard disk.

If it is on a diskette, it is know as the boot sector, and all it does is to go to the first sector in the data area of that diskette and load the operating system.

If it is on a hard disk, its known as the Partition Sector (or Master Boot Record, MBR) in which case its function is to find and load the boot sector, which will be the first sector of the bootable partition, usually drive c:. The boot sector on the hard disk is exactly the same as on a diskette.

The thing is this program is always loaded, even when the disk does not contain an operating system. To put it another way even if you get a message which says something like "Non-System disk or disk error. Replace and strike any key when ready" that program has been run. It is in fact that program which displays the error message.

A boot sector virus simply replaces the original boot sector with its own code. The original boot sector is then stored elsewhere on the disk. Then each time you start up the PC the virus is executed after which the original boot sector is run.

This means that if you start up a PC with a diskette in drive a:, and that diskette has a boot/partition sector virus you will infect the PC, even if the diskette does not have an operating system on it.

The first thing that the virus will do is infect either the Boot Sector or the Partition Sector of the hard disk. Incidentally, if it infects the Partition Sector then it is known as a Partition Sector virus even though it infects the boot sector of diskettes.

There after each time you switch on the PC the virus will go memory resident and attempt to infect every diskette inserted in the PC.

Back.