A boot sector virus is a particular kind of virus named after the location it can be found. That would be the boot sector of floppy disks or the Master Boot Record of more modern hard disks. In some cases, they can infect the boot sector of said hard disks instead of the MBR.
The code that makes up the virus runs when whatever is on the disk or drive is booted up. In other words, if the user tries to plug in and use an infected hard disk, they execute the virus. Once loaded, almost all of these viruses will copy themselves to other available and compatible disks and drives, so if a computer had four clean floppy disks inserted, and a fifth infected one was added and used, all five would likely end up infected.
Contents
What Do Boot Sector Viruses Do?
Because of the way and the location they are placed in, boot sector viruses end up executing when the device they are on is booted up or plugged in and turned on. They are BIOS-level infections, meaning they don’t require any particular user interaction (such as opening an email or clicking on a dodgy website link) to affect a system.
The downside is that they rely on DOS commands to spread. DOS hasn’t been used since the release of Windows 95, at which point the use of boot sector viruses rapidly declined as they no longer worked. The original boot sector viruses would be entirely harmless in a modern computer that does not use/understand DOS commands – however, the type of virus persists in a new variant.
Modern Boot Sector Viruses
The modern equivalent is often called a “bootkit,” which writes itself into the MBR or Master Boot Record. That way, they achieve the same effect of launching early in the boot process. This lets them hide both their presence and what they are doing behind other processes – and, again, requires no user interaction other than booting up the machine.
Bootkits aren’t compatible with removable media – in other words, while the original boot sector viruses thrived on floppy disks, bootkits do not work like that. They could not, for example, infect a USB stick – although they can be stored and transferred on one, they would not activate. Other viruses can execute from removable media, such as thumb drives, but bootkits cannot.
What Does a Boot Sector Virus Look Like?
As with any virus, what it looks like depends on both who created it and what purpose it is meant to achieve. A boot sector always has to have 0x55 and 0xAA as the last two bytes of data, respectively. Without them there, the computer will either refuse to boot entirely or at least show an error message. This error message – or a refusal to boot – can be one of several indicators of a boot sector virus, though it doesn’t give any particular clue as to what the virus might be doing.
How to Identify a Boot Sector Virus
A boot sector virus can be identified in two different ways. Firstly, by its actions. A boot sector virus infects the part of storage media loaded by the BIOS when booting up. It also actively infects all other storage media attached to the infected computer. It’s worth remembering that modern bootkits work slightly differently and don’t automatically infect devices. The other way to identify a boot sector virus is with anti-virus software.
Note: Boot sector viruses are essentially obsolete, relying on DOS-era technology. These operating systems likely see minimal use, particularly legacy systems. Finding an antivirus product that can run on such an operating system would be challenging now. Additionally, while it’s likely that no one has bothered to make new boot sector viruses if any new ones have been released, they may not be adequately categorized to be detected if you find an antivirus program to run.
How to Get Rid of a Boot Sector Virus
An antivirus product should be able to get rid of a boot sector virus relatively quickly. This assumes, however, that you can find an antivirus product that works on such an outdated system and that it can detect the virus. More modern bootkits can be extremely hard to detect and remove as they infect areas of memory typically restricted. Both can be defeated by reformatting the drive entirely. This process, however, wipes all data on the drive and so isn’t ideal.
It’s also theoretically possible for the bootkit to infect the motherboard itself, specifically the UEFI BIOS. In this case, reflashing the motherboard should solve the problem, but it might not if the virus persists elsewhere. Especially if the virus could reinfect the image to which the motherboard was flashed. The 100% surefire way to eliminate any virus is to throw away the infected component. That is your hard drive, motherboard, etc., not necessarily the whole computer.
Conclusion
A boot sector virus is a classic type from the DOS era. They infected the boot sector of storage media and actively infected the boot sector of any other available storage media. The boot sector was the portion of the storage device loaded first by the BIOS. As such, the malware was immediately launched.
As they relied upon the BIOS and DOS commands, they died out when Windows was introduced. A modern version is known as a bootkit. It acts similarly, infecting the boot loader that calls the operating system. This makes it very hard to detect or remove, as modern security measures protect the bootloader from easy access.
