What is a sector?
Before we begin, we must first determine what is a sector. A sector
is a subdivision of a drive. The term is derived from the mathematical
term for a portion of a circle (an arc) that is enclosed by 2 radii or
lines from the center to the edge of a circle. So in computer storage
terms, a sector is an an arc where data is written. Note: Drawing is not by best work.
So, what and where is a boot sector?
In order for a PC to be useable, it need to powerup and boot.And
the PC has 2 stages of booting up.The first stage boot loader is the
BIOS. This is so that all the primary hardwares would come online and be
able to communicate with one another. This also contains instructions
on which hardware - usually a storage device - to access to get to the
second stage of the boot process. The second stage boot loader is used
to be able to load the OS. Two examples are the NTLDR.exe and GRUB.
These are some of the files you shouldn't be messing with:
The boot sector contains the data on how the computer hardware will
process the data contained in the media. Think of it as a form of
encryption where the key is in the front. This will give information on
how to decrypt/read the data that follows. It also contains partition
information on how a disk is separated into "slices", like spaces
between words. Otherwise,you'dhaveahardtimecomprehendingwhatiswritten.:D
If you're looking for a more technical explanation...Here goes. On
IBM PC compatible machines, the BIOS is ignorant of the distinction
between Volume Boot Records (VBR) and Master Boot Records (MBR), and of
partitioning. The firmware simply loads and runs the first sector of the
storage device. If the device is a floppy or USB flash drive, that will
be a VBR. If the device is a hard disk, that will be an MBR. It is the
code in the MBR which generally understands disk partitioning, and
in turn, is responsible for loading and running the VBR of whichever
primary partition is set to boot (the active partition). The VBR then
loads a second-stage bootloader from another location on the disk.
About the virus...
Whatever is stored in the first sector of a bootable storage device
(floppy diskette, USB device, hard disk), is not required to
immediately load any bootstrap code for an OS, if ever. The BIOS merely
passes control to whatever exists there, as long as the sector meets the
very simple qualification of having the boot record signature of 0x55,
0xAA in its last two bytes. This is why it's easy to replace the usual
bootstrap code found in an MBR with more complex loaders, even large
multi-functional boot managers (programs stored elsewhere on the device
which can run without an operating system), allowing users a number of
choices in what occurs next. With this kind of freedom, abuse often
occur in the form of boot sector viruses.
What does that mean? It is basically an indicator to tell the
hardware what type of device it is communicating with and how the data
is to be read and written on. It then accesses certain instructions from
files and what follows next is [place your virus here] and then finally
the OS in all its glory! So a Boot Sector Virus, in order to propagate,
must first be loaded into memory by following the instructions written
in the infected boot sector and has instructions to write itself on the
next media. For a malware working from the OS or application side to be
able to infect the boot sector, it must have low level programming or it
would have a hard time to propagate to that area. But since, NTLDR is
readily accessible from explorer or MS-DOS. All you have to do is to
have write access to system files.
"I has virus. Pls remove. Thx."
So how do you remove this sort of malware without reformatting the hard drive?
Here's a procedure for a Windows XP OS:
1. Insert the Windows XP CD-ROM into the CD-ROM drive.
2. Restart the computer from the CD-ROM drive.
3. Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
4. Select the installation that you want to access from the Recovery Console.
5. Enter the administrator password and press Enter.
6. Type the following command and press Enter:
fixmbr
7. Following the onscreen instructions to restore the Master Boot Record.
8. Type exit
9. Press Enter. The computer will now restart automatically.
2. Restart the computer from the CD-ROM drive.
3. Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
4. Select the installation that you want to access from the Recovery Console.
5. Enter the administrator password and press Enter.
6. Type the following command and press Enter:
fixmbr
7. Following the onscreen instructions to restore the Master Boot Record.
8. Type exit
9. Press Enter. The computer will now restart automatically.
The general rule here is to get the first media with a set of
instructions (and has a clean MBR!) to load itself. And using the
instructions contained therein, to overwrite the MBR of the next storage
media.
Finally, other applications that you may use are the following:
- Fdisk by Microsoft (C:\fdisk /mbr - will overwrite the MBR)
- TestDisk by Christophe Grenier at CGSecurity.org (Check their website)
- MBRWizard by MBRWizard now Firesage (Up to ver 2 is still free, you have to pay for ver 3 with the nice GUI)
- Fdisk by Microsoft (C:\fdisk /mbr - will overwrite the MBR)
- TestDisk by Christophe Grenier at CGSecurity.org (Check their website)
- MBRWizard by MBRWizard now Firesage (Up to ver 2 is still free, you have to pay for ver 3 with the nice GUI)
There are few MBR virus out in the wild. Most are probably remnants
and mutations of the Disk OS days. The probable reason behind this is
that most malware writers are too busy exploiting Internet sites,
commercial apps and OSs, and Spamming where real (and illegal, and
possibly harmful) profit can be made. But still, this can still pose as a
threat especially if combined with other types of malwares out there.
But the knowledge presented could hopefully help in removing them safely
and with minimal risk.
Cheers.
No comments:
Post a Comment