Home
Up

Boot Viruses


A boot virus is a virus that infects the part of the computer called a system sector .  Boot sector and master boot record (MBR) are terms used for the two types of system sectors and both carry executable codes.  A system sector is an area of the computer hard drive or a floppy disk that is executed when the computer is started.  Boot viruses are also known as "boot sector virus", "system sector virus", or "bootstrap virus."

It works like this.  Each computer hard drive has a small area that the USER cannot access easily, called the MBR, or Master Boot Record.  When a computer boots up, it looks at the floppy diskette drive for a bootable disk and, if not found, looks to the hard drive MBR.  The hard drive MBR gives the computer certain commands to follow.  For example it might tell the computer to load Windows.  If it does find a floppy disk it will try to boot from it.  The series of processes can be seen in the visual below:

Normal Computer Start-Up Sequence

Flow Chart of Computer Startup

 

So how does a boot virus fit in?  The computer could get a boot virus from leaving an infected diskette in the drive during shutdown and forgetting to take it out during the next boot up.  That infected diskette contains virus code in the disk's boot sector that says, for example, "copy my virus code from this diskette into the hard drive's MBR... then give the normal command, NON SYSTEM DISK OR DISK ERROR, PLEASE REMOVE AND STRIKE ANY KEY".  The user does not realize that the virus code has been copied to the MBR.  The computer appears to go through the same boot up that it always does.  The user removes the floppy disk when instructed, and the computer continues to boot from the hard drive.  Now the computer's MBR is infected and the virus goes memory resident on every boot.  All common boot sector and MBR viruses are memory resident.  From this point on, any floppy diskette that that is put into the infected computer gets the virus code.  

Below is another way to think about the boot virus concept.

 

Floppy Disk

Computer Tower

Compac Disc

Every floppy disk, whether it is a bootable disk, a program disk, or a data disk, has a boot sector as its first physical sector which stores information about the disk and stores a small program that either puts a message on the screen or starts to load the operating systems.  The boot sector contains executable files that can be infected with a virus.  Even a non-bootable disk can carry a virus. If a floppy disk is inserted into an infected computer, the floppy may be infected instantly even if it has not been accessed by the user.

The hard drive of the computer has a partition sector or master boot record (MBR) which contain executable files that start the operating system of the computer.  These files can be infected.  Once infected, the virus can be passed to other files on the computer and to any floppy that is placed in the diskette drive.  If a virus damages the MBR, the computer may not recognize that it even exists and therefore be unable to start.

A compact disk (CD) used for data storage does not have a boot sector at all.  The data files written to a CD cannot pass on a virus to the CD.  There are bootable CD ROMs that could be infected by the person that wrote the CD.

Examples of boot viruses Brian, Stoned, Empire, Form, Azusa, and Michelangelo. 

 

Link to Computer Viruses Simplified