Methods to Detect a Boot-Sector Virus

This article was previously published under Q82923
This article has been archived. It is offered "as is" and will no longer be updated.
Boot-sector viruses infect computer systems by copying code either to theboot sector on a floppy disk or the partition table on a hard disk. Duringstartup, the virus is loaded into memory. Once in memory, the virus willinfect any non-infected disks accessed by the system. Examples of boot-sector viruses are Michelangelo and Stoned.
Boot-sector viruses are spread to computer systems by booting, orattempting to boot, from an infected floppy disk. Even if the disk does notcontain the MS-DOS system files needed to successfully boot, an attempt toboot from an infected disk will load the virus into memory. The virus hooksitself into memory as if it were a device driver. The virus moves theInterrupt 12 return, allowing itself to remain in memory even after a warmboot. The virus will then infect the first hard disk in the system.

Because the virus moves the Interrupt 12 return, the MS-DOS system memorywill be 2K (2048 bytes) smaller than normal. This can be verified byrunning the MS-DOS CHKDSK command.

For example, if your system has 640K, CHKDSK will report:
655360 Total Bytes Memory
If the system is infected with a boot-sector virus, CHKDSK willreport:
653312 Total Bytes Memory
Some systems use 1K (1024 bytes) of memory for the BIOS. Other systems use2K (2048 bytes) of memory for shadow RAM. You must take this into accountbefore CHKDSK can be used as an accurate measure of whether or not a systemis infected with a virus. Please refer to the hardware manufacturer to seeif the system uses part of the MS-DOS 640K of memory.

Once a system is infected with a boot-sector virus, any non-write-protecteddisk accessed by this system will become infected. For example, simplydoing a DIR command on a floppy disk will cause the disk to become infectedwith the virus.Note: MS-DOS version 5.0 disks are shipped without a notch; therefore, theyare write-protected. The chances of these disks containing a virus areclose to none. The MS-DOS 5.0 disk files are compressed, so the actual filesizes are different. You can determine a compressed file by the underscorecharacter (_) that is the last character of the filename extension. Toexpand a compressed file, use the EXPAND utility on Disk 5 (5.25-inch diskset) or Disk 3 (3.5-inch disk set).
6.22 3.20 3.30 3.30a 4.00 4.00a 5.00 5.00a MBR 6.00 6.20

Article ID: 82923 - Last Review: 12/04/2015 09:13:42 - Revision: 2.1

Microsoft MS-DOS 3.1, Microsoft MS-DOS 3.2 Standard Edition, Microsoft MS-DOS 3.21 Standard Edition, Microsoft MS-DOS 3.3 Standard Edition, Microsoft MS-DOS 3.3a, Microsoft MS-DOS 4.0 Standard Edition, Microsoft MS-DOS 4.01 Standard Edition, Microsoft MS-DOS 5.0 Standard Edition, Microsoft MS-DOS 5.0a, Microsoft MS-DOS 6.0 Standard Edition, Microsoft MS-DOS 6.2 Standard Edition, Microsoft MS-DOS 6.21 Standard Edition, Microsoft MS-DOS 6.22 Standard Edition

  • kbnosurvey kbarchive KB82923