Frisk Software International - Technical note #8


                   Generic boot sector disinfection

Although F-PROT is usually up-to-date with respect to virus detection and
disinfection, there are occasional cases of a virus infecting a machine
before we have implemented disinfection of that particular virus.

The instructions below describe a "generic" method for the removal of boot
sector viruses.

If the virus infects the Master (Partition) boot sector.

    Create a bootable system diskette on a different (clean) machine, that
    is running DOS 5 or 6, with the FORMAT /S or "SYS" commands.  You cannot
    use DOS 4 or older for this purpose.

    Copy the file FDISK.EXE to that diskette and write-protect it.

    Boot the infected machine with this diskette - do not rely on just
    pressing Ctrl-Alt-Del...press the Reset button or turn the machine off
    and then back on.

    Check if you are able to access all partitions on the hard disk normally.
    If they are not recognized, it might be because the virus encrypts the
    partition data or overwrites it....in this case the generic disinfection
    method described below is not possible.   One method which will often work
    in that case is to wipe out the MBR with a disk editor, and then run NDD
    and tell it to recover the lost partitions.  My favourite tool for this
    purpose is NDD version 4.5.  However, you should make a backup copy of the
    (infected) MBR first - if you don't know how to do that, you probably
    should not be fiddling with the MBR anyhow.

    If you can access C: and other partitions, give the command FDISK /MBR.
    This will overwrite the code part of the MBR - in effect "killing" the
    virus. (note: if you are using Novell DOS 7.0, you need to select this
    option from the menu, not give a command-line switch).

    Reboot the machine normally from the hard disk.

If the virus infects the DOS boot sector:

    Create a bootable system diskette on a different (clean) machine, that
    is running exactly the same version of DOS as the infected machine.
    
    COPY the SYS.COM file from the DOS directory to the diskette and write-
    protect it.

    Boot from the diskette and give the command SYS C:

    In addition to copying the system files over (which is not necessary to
    remove the virus), this will overwrite the DOS boot sector with "clean"
    code, killing the virus.


