Methods to Detect a Boot-Sector Virus

Document ID: 94000589

Posted Date: 1996-08-19

Last Updated: 1996-08-19

Distribution: View Public Website

Applicable Models

Satellite 110CS

Satellite 110CT

Satellite 200CDS

Satellite 2505CDS

Satellite 305CDS

Satellite 310CDS

Satellite 310CDT

Satellite 320CDS

Satellite 320CDT

Satellite 335CDS

Satellite 335CDT

Satellite 4000CDS

Satellite 4000CDT

Portege 300CT

Portege 320CT

Portege 610CT

Portege 650CT

Portege 660CDT

Portege 7000CT

Tecra 500CDT

Tecra 500CS

Tecra 510CDT

Tecra 520CDT

Tecra 530CDT

Tecra 550CDT

Tecra 700CS

Tecra 700CT

Tecra 710CDT

Tecra 720CDT

Tecra 730CDT

Tecra 730XCDT

Tecra 740CDT

Tecra 750CDT

Tecra 780CDM

Tecra 780DVD

Satellite Pro 400CDT

Satellite Pro 400CS

Satellite Pro 415CS

Satellite Pro 425CDS

Satellite Pro 430CDS

Satellite Pro 430CDT

Satellite Pro 440CDT

Satellite Pro 440CDX

Satellite Pro 465CDX

Satellite Pro 470CDT

Satellite Pro 480CDT

Satellite Pro 490XCDT

Information

Boot-sector viruses infect computer systems by copying code either to the boot sector on a floppy disk or the partition table on a hard disk. During startup, the virus is loaded into memory. Once in memory, the virus will infect any non-infected disks accessed by the system. Examples of boot- sector viruses are Michelangelo and Stoned.

Boot-sector viruses are spread to computer systems by booting, or attempting to boot, from an infected floppy disk. Even if the disk does not contain the MS-DOS system files needed to successfully boot, an attempt to boot from an infected disk will load the virus into memory. The virus hooks itself into memory as if it were a device driver. The virus moves the Interrupt 12 return, allowing it to remain in memory even after a warm boot. The virus will then infect the first hard disk in the system. Because the virus moves the Interrupt 12 return, the MS-DOS system memory will be 2K (2048 bytes) smaller than normal. This can be verified by running the MS-DOS CHKDSK command.

For example, if your system has 640K, CHKDSK will report: 655,360 Total Bytes Memory

If the system is infected with a boot-sector virus, CHKDSK will report: 653,312 Total Bytes Memory

Once a system is infected with a boot-sector virus, any non-write-protected disk accessed by this
system will become infected. For example, simply doing a DIR command on a floppy disk will cause the disk to become infected with the virus.

More on Viruses

A computer virus is an executable file designed to replicate itself and avoid detection. A virus may try to avoid detection by disguising itself as a legitimate program. Viruses are often rewritten and adjusted so that they will not be detected. Anti-virus programs must be updated continuously to look for new and modified viruses. Viruses are the number-one method of computer vandalism.

The first computer viruses were designed by programmers who wanted to show off their programming skills and to demonstrate how easily computer security systems could be infiltrated. Today, viruses are made to corrupt or scramble data on a computer's hard disk in the file allocation table (FAT), boot sector, data files, or program files.

There are over 5000 known viruses, and new virus strains continue to show up regularly. The rate of virus infection is also increasing.

In the United States, creating or distributing a virus is classified as a computer crime, and is a federal offense. The Electronic Privacy Act of 1986 is the most noteworthy legislation against the fraudulent use of computers. Europe has enacted the Computer Misuse Act of 1991, which specifically states that creating or knowingly distributing a computer virus is a criminal act.

There are three types of computer viruses:

· Boot-sector viruses
· File-infecting viruses
· Trojan horse programs

Boot-Sector Viruses
When a computer boots (or starts), it looks to the boot sector of the hard disk before loading the operating system or any other startup files. A boot-sector virus is designed to replace the information in the hard disk's boot sectors with its own code. When a computer is infected with a boot-sector virus, the virus' code is read into memory before anything else. Once the virus is in memory, it can replicate itself onto any other disks that are used in the infected computer.

The Form, Michaelangelo, Junkie Virus, and Ohio viruses are examples of this type of virus.

A boot-sector virus can cause the following problems:

Export Control and EULA

Use of any software made available for download from this system constitutes your acceptance of the Export Control Terms and the terms in the Dynabook end-user license agreement both of which you can view before downloading any such software.