12) FDISK /MBR fixes boot sector viruses. (Favourite myths - Computer virus)
Description
This article is from the Computer viruses FAQ, by David Harley D.Harley@icrf.icnet.uk, George Wenzel gwenzel@telusplanet.net and Bruce Burrell bpb@umich.edu with numerous contributions by others.
12) FDISK /MBR fixes boot sector viruses. (Favourite myths - Computer virus)
The mark II comp.virus FAQ is worth reading on this (see Part 1
of this FAQ as well as Part 4, section 14).
In brief, don't use FDISK /MBR *unless* you're *very* sure of what
you're doing, as you may lose data. Note also that if you set up the
drive with a disk manager such as EZDrive, you won't be able to access
the drive until and unless you can reinstall it.
(i) What does FDISK /MBR do?
------------------------
It places "clean" partition code onto the partition of your hard disk.
It does not necessarily change the partition information, however.
[It does sometimes, and when it does it us usually fatal (for the
common user, anyway). FDISK /MBR will wipe the partition table data if
the last two bytes of the MBR are not 55 AA.]
The /MBR command-line switch is not officially documented in all
DOS versions and was introduced in DOS 5.0
(ii) What is the partition?
----------------------
The partition sector is the first sector on a hard disk. It contains
information about the disk such as the number of sectors in each
partition, where the DOS partition starts, plus a small program. The
partition sector is also called the "Master Boot Record" (MBR).
When a PC starts up it reads the partition sector and executes the
code it finds there. Viruses that use the partition sector modify
this code.
Since the partition sector is not part of the normal data storage
part of a disk, utilities such as DEBUG will not allow access to it.
[Unless one assembles into memory]
Floppy disks do not have a partition sector.
FDISK /MBR will change the code in a hard disk partition sector.
(iii) What is a boot sector?
----------------------
The boot sector is the first sector on a floppy disk. On a hard disk
it is the first sector of a partition. It contains information about
the disk or partition, such as the number of sectors, plus a small
program.
When the PC starts up it attempts to read the boot sector of a disk in
drive A:. If this fails because there is no disk it reads the boot
sector of drive C:. A boot sector virus replaces this sector with its
own code and usually moves the original elsewhere on the disk.
Even a non-bootable floppy disk has executable code in its boot sector.
This displays the "not bootable" message when the computer attempts to
boot from the disk. Therefore, non-bootable floppies can still contain
a virus and infect a PC if it is inserted in drive A: when the PC
starts up.
FDISK /MBR will not change the code in a hard disk boot sector (as
opposed to the partition sector). Most boot sector viruses infect the
partition sector of hard disks and floppy disk boot sectors: most do
not infect the boot sector of a hard disk - the Form virus is an
exception.
(iv) How can I remove a virus from my hard disk's partition sector?
--------------------------------------------------------------
There are two main alternatives: run an anti-virus product, or use
FDISK /MBR.
Most effective anti-virus products will be able to remove a virus from
a partition sector, but some have difficulties under certain
circumstances. In these cases the user may decide to use FDISK /MBR.
Unless you know precisely what you are doing this is unwise. You may
lose access to the data on your hard disk if the infection was done by
a virus such as Monkey or OneHalf. Part 4, section 14 of this FAQ
contains details as to how losing data might happen.
(v) Won't formatting the hard disk help?
------------------------------------
Not necessarily. Formatting the hard disk can result in everything
being wiped from the drive *apart* from the virus. Format alters the
DOS partition, but leaves the partition sector (AKA the MBR) untouched.
There is usually a better way of removing a virus infection than
formatting the hard disk.
Continue to:
My Books
