Threat Description

Boot virus

Details

Aliases: Boot virus, BOO virus, Boot virus, MBR virus, DBR virus
Category: Malware
Type: Virus
Platform: W32

Summary



This type of virus infects the Master Boot Record (MBR) or DOS Boot Record (DBR) of a hard drive, or the Floppy Boot Record (FBR) of a floppy drive.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



A boot virus (also known as a boot infector or an MBR or DBR virus) targets and infects a specific, physical section of a computer system that contains information crucial to the proper operation of the computer's operating system (OS). Boot viruses may differ based on whether they target the MBR, the DBR or the FBR:

  • The MBR is the first sector of a hard drive and is usually located on track 0. It contains the initial loader and information about partition tables on a hard disk.
  • The DBR is usually located a few sectors (62 sectors after on a hard disk with 63 sectors per track) after the MBR, and contains the initial loader for an operating system and logical drive information.
  • The FBR is use for the same purposes as DBR on a hard drive, but it is located on the first track of a diskette.

Though boot viruses were once more common in the early 90s, they have since become less of a threat, as most computer motherboards now provide protection against such threats by denying access to the MBR without user permission. In recent years however, more sophisticated malware has been developed that have begin retargeting the MBR (e.g, Rootkit:W32/Whistler.A).

More

A boot virus can be overwriting and relocating. An overwriting boot virus overwrites MBR, DBR or FBR sector with its code preserving patrition table information or logical drive information respectively. Relocating boot viruses save the original MBR, DBR or FBR somewhere on a hard or floppy drive. Sometimes such action can destroy certain areas of a hard or floppy drive and make a disk unreadable.

All boot viruses are memory-resident. When a computer is started, boot virus code is loaded in memory. A virus traps one of BIOS functions (usually disk interrupt vector Int 13h) and stays resident in memory. A virus then monitors disk access and writes its code to boot sectors of media that is used on an infected computers. For example a boot virus started from a diskette infects a hard drive. Then a virus will infect all diskettes that are inserted in to infected computer's floppy drive.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More