FDISK /MBR to clean virus,how?
P.M.Wong
with the ANTI-CMOS.A virus.
F-Prot could not disinfect it, but recommend using Dos FDISK
command with /MBR switch to do it.
Since the /MBR is not documented, could someone kindly tell
me what it will do. Do I have to backup everything and do
complete restore afterwards.
BTW, anyone who have got such a virus before, please tell me
the steps to clean the disk (e.g. any need to low level format
or FDISK and FORMAT are adequate)
--
\\\//
(o o)
[----------------ooO-(_)-Ooo---------------] P.M. Wong , Computer Centre
[User User User User User User User User Us] Hong Kong Baptist University
[ser User User User User User User User Use] 224 Waterloo Road, HONG KONG
[er User User User User User User User User] Voice: 23397425 Fax: 23397888
[------------------------------------------] Email: p...@hkbu.edu.hk
Steve Eschenburg
>My friend's PC's hard disk boot sector has been infected
>with the ANTI-CMOS.A virus.
>F-Prot could not disinfect it, but recommend using Dos FDISK
>command with /MBR switch to do it.
>Since the /MBR is not documented, could someone kindly tell
>me what it will do. Do I have to backup everything and do
>complete restore afterwards.
>BTW, anyone who have got such a virus before, please tell me
>the steps to clean the disk (e.g. any need to low level format
>or FDISK and FORMAT are adequate)
Try running the SYS command first. Remember to boot to a clean, write
protected diskette. If that doesn't work then try FDISK /MBR.
True, it's not a documented switch, but I have seen it get a few hard
drives back up and running. DOS writes 2 copies of the master boot
record to a hard drive. What FDISK /MBR does is to get the second copy
and use it to rewrite the working copy, the one that is actually used
to boot the system with. I haven't seen it do any damage so backing up
the drive may not be necessary, but then I'm not the one who would be
reinstalling it either :-)
If you do make a backup of the drive as it is you may inadvertently
backup the virus also....something to consider though this would have
no effect on your data files.
From the mind of ste...@rapidramp.com---
Opinions are like friends, everyone has some no one else likes.
Joe Morris
>Try running the SYS command first. Remember to boot to a clean, write
>protected diskette. If that doesn't work then try FDISK /MBR.
>True, it's not a documented switch, but I have seen it get a few hard
>drives back up and running. DOS writes 2 copies of the master boot
>record to a hard drive. What FDISK /MBR does is to get the second copy
>and use it to rewrite the working copy, the one that is actually used
>to boot the system with.
No. The FDISK program writes the Master Boot Record (thus "MBR") which
contains two components:
- The highest-level partitioning information, which by definition must
include the DOS or WIN95 partition to be booted, and
- the executable code that determines which partition is to be booted,
and passes control to that partition.
Both of these components are located in the absolute first sector of
a hard disk: cylinder zero, head zero, sector 1. The executable portion
is present on all hard disks, but is used only on a disk that is cabled
to be the first hard disk on the first controller.
The FDISK command will write the executable code component only if either:
(a) no previous MBR is found on the disk, or
(b) the /MBR switch was specified.
In either case, the executable code is copied from within the FDISK
program, not from any other part of the hard disk.
FDISK /MBR will make no changes to the partitioning information -- that
is, it will only rewrite the executable code -- *IF* it finds that
the first sector contains a valid MBR. Based on reports from users who
have been burned, however, it seems that FDISK checks for a valid MBR
before seeing if the /MBR switch was specified, so if for some reason
it decides that you don't have an MBR, the entire first sector is
initialized. I don't know for sure, but I suspect that the entire test
is probably checking the last two bytes of the sector against 0x55AA
(the boot sector signature).
Now...what confuses some users is that every *partition* has what is called
the "boot sector" as *its* first sector. This boot sector (which appears
not only in hard disk partitions but also at the front of every floppy
disk) is written by the SYS command; unlike the MBR executable code the
boot sector code is operating-system-specific. The boot sector receives
control from the master boot record; it has the responsibility for reading
in and passing control to the startup executable (typically IO.SYS (DOS or
WIN95), WINBOOT.SYS (WIN95 after a DOS session), NTBOOT (WINNT), etc.)
A virus that contaminates the MBR cannot be fixed by the SYS command (which
rewrites the boot sector); similarly, a virus that hits the boot sector
is immune to any actions by FDISK since that program doesn't rebuild
the partition boot sector. Assuming that the recommendation from the
antivirus program was to run FDISK /MBR (I can't recall off the top of
my head if ANTICMOS is an MBR virus, but it sounds reasonable), the
SYS command won't help.
> I haven't seen it do any damage so backing up
>the drive may not be necessary, but then I'm not the one who would be
>reinstalling it either :-)
If the 0x55AA signature is missing from the MBR, FDISK /MBR will probably
destroy the partitioning information. Use Norton DiskEdit to look at the
MBR and verify that the signature is present; for that matter, as long as
you're using DISKEDIT you can create a copy of the MBR just in case
something goes screwy. Look at the Norton documentation about writing
selected sectors as a DOS file.
>If you do make a backup of the drive as it is you may inadvertently
>backup the virus also....something to consider though this would have
>no effect on your data files.
Assuming that the MBR is the only place that contamination exists (i.e.,
you don't have on your hard disk any file that will reinfect you) it's
unlikely that the infection will be saved with the backup -- **IF** you
are running the backup after booting the system from a known sterile
floppy disk that has the write-protect tab set to prevent writing. Few
if any file backup programs will save either the MBR or the partition
boot sector.
Joe Morris / MITRE
jhb
>
>My friend's PC's hard disk boot sector has been infected
>with the ANTI-CMOS.A virus.
>F-Prot could not disinfect it, but recommend using Dos FDISK
>command with /MBR switch to do it.
>Since the /MBR is not documented, could someone kindly tell
>me what it will do. Do I have to backup everything and do
>complete restore afterwards.
>BTW, anyone who have got such a virus before, please tell me
>the steps to clean the disk (e.g. any need to low level format
>or FDISK and FORMAT are adequate)
Actual I believe a clean boot from a dos disk of the same version
then fdisk /mbr will do it but only as a last resort. If you have no
interest in virii (ie you are not going to carefuly remove it or do not
know how to make a safe copy of the mbr do not use Fdisk)
Instead try F-prot or I believ Dr. Solomons Av Tool Kit
will take care of it get a demo on there site for more info
check any post from the Doctor or Graham Cluley.
Cheers,
JHB
jhb
>
>s11...@ctsc.hkbc.hk (P.M.Wong) wrote:
>
>>My friend's PC's hard disk boot sector has been infected
>>with the ANTI-CMOS.A virus.
>>F-Prot could not disinfect it, but recommend using Dos FDISK
>>command with /MBR switch to do it.
>>Since the /MBR is not documented, could someone kindly tell
>>me what it will do. Do I have to backup everything and do
>>complete restore afterwards.
>>BTW, anyone who have got such a virus before, please tell me
>>the steps to clean the disk (e.g. any need to low level format
>>or FDISK and FORMAT are adequate)
>
>protected diskette. If that doesn't work then try FDISK /MBR.
>
>True, it's not a documented switch, but I have seen it get a few hard
>drives back up and running. DOS writes 2 copies of the master boot
>record to a hard drive. What FDISK /MBR does is to get the second copy
>and use it to rewrite the working copy, the one that is actually used
>the drive may not be necessary, but then I'm not the one who would be
>reinstalling it either :-)
>
>backup the virus also....something to consider though this would have
>no effect on your data files.
>
is replace the program part of the mbr (the part that loads the boot sector)
the problem is it does not check if the partion table that is there is ok
so if its encrypted or not there you hard disk become "not there" to dos
and at that point if you have no backup of the mbr you are in between
a rock and a hard place. So use a good AV program also unless
I remember wrong sys will not touch anti-cmos virus.
kbcs...@dmu.ac.uk
Utilities. This a collection of disk utilities that should, in theory,
keep your disk files safe. It holds a lot of power so be careful if you
do use it.
Another point about this virus. It sounds like you virus scan your hard
drive every so often like me. This becomes a bad idea if you are both
using a lot of disks from other peoples computer systems, and if you are
using the internet and e-mail. I suggest that you try to get hold of
Norton Antivirus toolkit OR Solomans anti-virus toolkit. As new viruses
are coming out all the time, it is best to keep up to date.
Maybe it would be best if you kept backup copies of all files like me,
and believe me I have a lot of files.
And last of all, learn from your mistakes. Failing to keep a regular
check all the time can place you in serious situations, so take advice.
Ken Stieers
>
>ste...@rapidramp.com (Steve Eschenburg) wrote:
>
>Not to get to far of the subject, but if virus can infect the first
>MBR, is it possible that it can effect the second? If it can then the
>FDISK /MBR would become useless, correct?
>
There is only ONE MBR on a standard Dos drive. There are 2 FATs, but
those are TOTALLY different. Please see my reply to Steve Eschenburg
earlier in this thread.
Ken
--
Views expressed herein are not necessarily the views
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
-----------------------------------------------------------------------
Ken Stieers | The internet is like a town with no street
AV Research/Apps. Eng. | signs, if you don't know your way around
Ontrack Computer Systems | then you probably don't belong
Ontrack Data Recovery | --James Gleik
Eden Prarie, MN |
Paul Tader
>s11...@ctsc.hkbc.hk (P.M.Wong) wrote:
>>My friend's PC's hard disk boot sector has been infected
>>with the ANTI-CMOS.A virus.
>>F-Prot could not disinfect it, but recommend using Dos FDISK
>>command with /MBR switch to do it.
>>Since the /MBR is not documented, could someone kindly tell
>>me what it will do. Do I have to backup everything and do
>>complete restore afterwards.
>True, it's not a documented switch, but I have seen it get a few hard
>drives back up and running. DOS writes 2 copies of the master boot
>record to a hard drive. What FDISK /MBR does is to get the second copy
>and use it to rewrite the working copy, the one that is actually used
>to boot the system with. I haven't seen it do any damage so backing up
>the drive may not be necessary, but then I'm not the one who would be
>reinstalling it either :-)
Not to get to far of the subject, but if virus can infect the first
Fridrik Skulason
>Try running the SYS command first.
NO.....DON'T
Running SYS will not help at all, as the virus infects the MBR, which SYS does
not touch. Indeed, using SYS may do more harm than good - if the version of
DOS you use is different from the one already on the hard disk, you will have
a pretty serious problem.
>drives back up and running. DOS writes 2 copies of the master boot
>record to a hard drive. What FDISK /MBR does is to get the second copy
>and use it to rewrite the working copy, the one that is actually used
>to boot the system with.
You are utterly wrong, and I would strongly suggest that you refrain from giving
advise on subjects you are obviously unfamiliar with.
DOS does not write the MBR.
There is only one copy of it, not two.
What FDISK /MBR does is to overwrite the *code* part of the MBR with clean
code, without touching the data part.
>If you do make a backup of the drive as it is you may inadvertently
>backup the virus also.
No, you are wrong there again.
For accurate informnation, see the note below:
-------------------------------------------------------------------------------
Frisk Software International - Technical note #8
Generic boot sector disinfection
Although F-PROT is usually up-to-date with respect to virus detection and
disinfection, there are occasional cases of a virus infecting a machine
before we have implemented disinfection of that particular virus.
The instructions below describe a "generic" method for the removal of boot
sector viruses.
If the virus infects the Master (Partition) boot sector.
Create a bootable system diskette on a different (clean) machine, that
is running DOS 5 or 6, with the FORMAT /S or "SYS" commands. You cannot
use DOS 4 or older for this purpose.
Copy the file FDISK.EXE to that diskette and write-protect it.
Boot the infected machine with this diskette - do not rely on just
pressing Ctrl-Alt-Del...press the Reset button or turn the machine off
and then back on.
Check if you are able to access all partitions on the hard disk normally.
If they are not recognized, it might be because the virus encrypts the
partition data or overwrites it....in this case the generic disinfection
method described below is not possible. One method which will often work
in that case is to wipe out the MBR with a disk editor, and then run NDD
and tell it to recover the lost partitions. My favourite tool for this
purpose is NDD version 4.5. However, you should make a backup copy of the
(infected) MBR first - if you don't know how to do that, you probably
should not be fiddling with the MBR anyhow.
If you can access C: and other partitions, give the command FDISK /MBR.
This will overwrite the code part of the MBR - in effect "killing" the
virus. (note: if you are using Novell DOS 7.0, you need to select this
option from the menu, not give a command-line switch).
Reboot the machine normally from the hard disk.
If the virus infects the DOS boot sector:
Create a bootable system diskette on a different (clean) machine, that
is running exactly the same version of DOS as the infected machine.
COPY the SYS.COM file from the DOS directory to the diskette and write-
protect it.
Boot from the diskette and give the command SYS C:
In addition to copying the system files over (which is not necessary to
remove the virus), this will overwrite the DOS boot sector with "clean"
code, killing the virus.
-frisk
Steve Eschenburg
>s11...@ctsc.hkbc.hk (P.M.Wong) wrote:
>>My friend's PC's hard disk boot sector has been infected
>>with the ANTI-CMOS.A virus.
>>F-Prot could not disinfect it, but recommend using Dos FDISK
>>command with /MBR switch to do it.
>>Since the /MBR is not documented, could someone kindly tell
>>me what it will do. Do I have to backup everything and do
>>complete restore afterwards.
>>BTW, anyone who have got such a virus before, please tell me
>>the steps to clean the disk (e.g. any need to low level format
>>or FDISK and FORMAT are adequate)
>Try running the SYS command first. Remember to boot to a clean, write
>protected diskette. If that doesn't work then try FDISK /MBR.
>True, it's not a documented switch, but I have seen it get a few hard
>drives back up and running. DOS writes 2 copies of the master boot
>record to a hard drive. What FDISK /MBR does is to get the second copy
>and use it to rewrite the working copy, the one that is actually used
>to boot the system with.
I apologize for the confusion caused by the above statement. Late
nights do not make for clear minds. As Ken Stieers correctly states in
his reply, there are two copies of the FAT, not two copies of the MBR.
See the reply from Joe Morris for a more complete description of the
location, purpose, and description of the MBR.
Get a copy of Patricia Hoffman's VSUM program if you would like the
details on many known viruses. The BBS number is (408)244-0813.
Dr Alan Solomon
In article <49lq6o$l...@News1.mcs.net>, Paul Tader (pta...@mcs.com) writes:
>ste...@rapidramp.com (Steve Eschenburg) wrote:
>
>>s11...@ctsc.hkbc.hk (P.M.Wong) wrote:
>>True, it's not a documented switch, but I have seen it get a few hard
>>drives back up and running. DOS writes 2 copies of the master boot
>>record to a hard drive. What FDISK /MBR does is to get the second copy
>>and use it to rewrite the working copy, the one that is actually used
>>the drive may not be necessary, but then I'm not the one who would be
>>reinstalling it either :-)
>
>Not to get to far of the subject, but if virus can infect the first
>MBR, is it possible that it can effect the second? If it can then the
>FDISK /MBR would become useless, correct?
I'd like to comment on this before it gets too far. I've not examined
every possible version of Dos, but I have looked at a lot of them, and
*none* of them make a second copy of the MBR. If you do have a second
copy on your HD, chances are it was copied there when a virus installed
itself. FDISK/MBR has the MBR code inside the FDISK.EXE file, and copies
it from there.
Anyway, as Bruce Burrell says so emphatically, FDISK /MBR is not a
general purpose virus-killer, as it is definitely hazardous for some
viruses (Monkey, One Half, etc).
Dr Alan Solomon, S&S International
Chief Designer of Dr Solomon's Anti Virus Toolkit
US tel (617) 273 7400 UK tel +44 1296 318700
US email sup...@sands.com UK drs...@ibmpcug.co.uk
Web http://www.sands.com/ or http://www.drsolomon.com/
Sue Forslev
>My friend's PC's hard disk boot sector has been infected
>with the ANTI-CMOS.A virus.
>F-Prot could not disinfect it, but recommend using Dos FDISK
>command with /MBR switch to do it.
>Since the /MBR is not documented, could someone kindly tell
>me what it will do. Do I have to backup everything and do
>complete restore afterwards.
>BTW, anyone who have got such a virus before, please tell me
>the steps to clean the disk (e.g. any need to low level format
>or FDISK and FORMAT are adequate)
<SIG Deleted>
You can use FDISK /MBR without danger if the virus doesn't play
excessive games with your MBR. I use it routinely to clear the Stoned
virus. I don't know about ANTI-CMOS A so you might want to back up
your hard drive before trying it.
Sue Forslev
http://www.well.com/user/sforslev/