question on boot sector viruses

[Lil' Dave]

Believe you mean NTFS type 3 filesystem, not XP filesystem. XP will work
fine in FAT32 or NTFS type 3 filesystems. Many manufactured PCs and laptops
come with XP in a FAT32 file system.

 

[Rage Skywolfe]

yeah I meant NTFS and are there any indications of boot sector viruses? or
are they just dormant in the system with no signs at all.

 

[Lil' Dave]

From things I've picked up in the past via Symantec, there's 2 different
versions that affect an mbr oriented virus. One can be fixed via a repair
of the mbr by using fdisk/mbr (FAT32) with the proper version of msdos, and
in the case of NTFS type 3 fixmbr from the recovery console. Disk overlays
for total use of the hard disk can be wiped as result. The other type can
only be fixed by entirely wiping the first sector of the hard drive. They
are both redirects of the bootstrap. Some 3rd party boot managers use this
method to implement their boot menu.

The partition boot record exists on the first bootable partition of a hard
disk on a PC. Some types of infections may exist here. This where the mbr
directs the system to boot the operating system. Though an entirely
different animal, many people get these confused with mbr resident viruses.

http://en.wikipedia.org/wiki/Volume_Boot_Record

http://en.wikipedia.org/wiki/Master_boot_record

http://en.wikipedia.org/wiki/Boot_sector

If you read both carefully, you can see that both the mbr and the active
primary partition participate before the operating system actually commences
loading from the hard disk.

How to fix your system specifically depends on the infection type and actual
location on the hard disk's sector zero. A zero write, implemented from
write protected boot media, will wipe either type. This type of software,
provided by hard disk manufacturers, will also map out bad areas of the hard
drive, and passed along to the partitioning program so it won't attempt to
use such bad areas. Subsequent use of Scandisk or other such programs will
never see such areas as they don't exist within the partition's designated
area.

 

[Rage Skywolfe]

ok there are places that mention reinfecting media if it is inserted into a
drive where the virus is. does this apply to cd rom drives as well? and are
system disks. (the retail disks you buy) exempt from this? also does having
just that and the driver disk do anything with that.

 

[Rage Skywolfe]

edit:
also I am wondering do hard drive errors like disk read error have anything
to do with that?

 

[David H. Lipman]

From: "Rage Skywolfe" <[email protected]>

| yeah I meant NTFS and are there any indications of boot sector viruses? or
| are they just dormant in the system with no signs at all.

Boot Sector Infectors such as "NYB" and "Form" don't infect NTFS.

 

[Lil' Dave]

Some viruses can reside on boot external, CD, and floppy boot media. You
never use an infected PC to create boot media. The reliability of boot
media is best made from a reliable source, be it some well known software
maker/hardware source, or reliable local PC. Use sound judgment.

 

[Lil' Dave]

A simple hard disk read error is some indication of an error in the I/O
scheme of things. Could be cpu timing, could be RAM, could be the hard disk
itself, and more, or a combination of these things. Although possbile to
have an error in the MBR itself, and nowhere else on the hard disk, I
greatly doubt that such an error would be read as an MBR virus in the first
sector. Good snooping, but has little possibility of resolution if that's
the case and its chased as a hard drive disk error. In that event, you may
end up replacing the hard drive. Don't get me wrong, it does happen though.

 

[Rage Skywolfe]

ok that is one of the things I was wondering for I wasn't sure if things like
operating system disks would be infected by something like that. and also I
wondered if there are any symptoms that a computer will show that something
is not right.