lotus

previous page: 79  What does the GenB and/or the GenP virus do?
  
page up: Computer Viruses FAQ
  
next page: 81  My PC diagnostic utility lists "Cascade" amongst the hardware interrupts (IRQs). Does this mean I have the Cascade virus?

80 How do I "boot from a clean floppy"?




Description

This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.

80 How do I "boot from a clean floppy"?

"Put it in the A: drive and turn the power on."

The facetious answer aside, the real question here is usually more one
of "How do I ensure I have a clean boot floppy?"

As with so many issues concerning viruses, the important thing is to be
prepared *in advance*. As with backups, a current, clean boot disk
should be a standard part of every personal computer system, as there
are other occasions than when facing a real or suspected virus infection
where being able to boot your computer to a "known good" state are
useful or desirable (e.g. you accidentally delete your disk-compression
driver from your hard disk). As with backups, a current, clean boot
disk is one of the standard parts of a personal computer system most
commonly missing.

The important thing in preparing a clean boot diskette, especially where
it has to be used with a (suspected) virus infection, is that it must
*not* run a single byte of code from your hard disk. This means your
boot floppy must contain all the basic operating system files, device
drivers and configuration commands necessary to make your system
minimally usable. This diskette must be prepared on a system that is,
itself, guaranteed "clean" and it should be write-protected immediately
after it is completed. Aside from a basic, minimal operating system,
your emergency boot diskette should contain the utilities necessary to
install your OS to a hard disk *and* basic diagnostic or "fix it"
programs and your favorite antivirus tools. Depending upon disk space
considerations, you may need additional diskettes to hold all these
utilities. For example, if you use DOS it is a good idea to copy the
following utility programs to your emergency boot disk (if your version
of DOS includes them): FDISK, CHKDSK and/or SCANDISK, FORMAT, SYS, MEM,
UNFORMAT, UNDELETE, MSD.

When it comes to rebooting your computer from a clean system disk, it is
most important that you perform a "cold start". On a PC, this means
pressing the reset button or turning the power off on again, *not* by
pressing Ctrl-Alt-Del. Regardless of the machine type, if you are
unsure, use the power off then power on method just described. It is
even more important that your machine is correctly configured to try
booting from the floppy first. Most contemporary BIOSes have an option
to select the boot order (A: then C: or C: then A:)--this must be set to
A: then C: for this procedure, though normally we strongly recommend
that you set this option to C: then A:.

As systems change from time to time, you may occasionally need to update
this most critical of diskettes so it will still boot your system to a
usable state. As you may have recently contracted a new virus that
bypasses your current antivirus precautions, this update process can put
you at risk of infecting your "clean" emergency boot diskette. Because
of this, it is prudent to have two such diskettes. With system changes
you would update these in a "leap frog" manner. This means your
previous emergency boot diskette might still bring your machine up to a
minimally useful state (such that you may still be able to make repairs)
should your updated emergency boot diskette be infected by a previously
unknown virus.

Unfortunately, this isn't the whole story either! A PC virus known as
EXE_Bug can fake out the boot process by setting the PC's CMOS to look
as if there are no floppy drives in the machine. Most BIOS'es don't
even try to boot from a floppy in this case, and go straight to the hard
disk, loading the virus from the MBR. When EXE_Bug first loads into
memory, it checks to see if there is a diskette in the first floppy
drive, and if there is, it loads the boot sector from the diskette and
lets the floppy boot as normal. Most people don't notice the subtly
different boot time and drive access order involved in this, so they
think they have booted clean, when in fact the virus is active in
memory! To circumvent this possibility, you have to check the PC's CMOS
settings before letting the floppy boot proceed, make sure that your PC
"knows" it has a floppy drive, *and*, with some PCs, make sure that the
boot order option is set to "A: then C:". This presents a chicken-and-
egg situation on some machines, as you may have to boot DOS on the
machine to be able to run the utility program that lets you change its
CMOS settings.

Remember, if you changed your BIOS's boot order option, set it back to
C: then A: after disinfecting your PC.

 

Continue to:













TOP
previous page: 79  What does the GenB and/or the GenP virus do?
  
page up: Computer Viruses FAQ
  
next page: 81  My PC diagnostic utility lists "Cascade" amongst the hardware interrupts (IRQs). Does this mean I have the Cascade virus?