Boot-Sector Viruses

A boot sector virus takes control at startup

A hard drive is comprised of many segments and clusters of segments, which may be separated by something called a partition. To find all the data spread across these segments, the boot sector operates as a virtual Dewey Decimal system. Each hard disk also has a Master Boot Record (MBR) that locates and runs the first of any necessary operating system files needed to facilitate the operation of the disk.

When a disk is read, it first seeks the MBR, which then passes control to the boot sector, which in turn provides pertinent information about what is located on the disk and where it is located. The boot sector also maintains the information that identifies the type and version of the operating system the disk was formatted with.

Obviously, a virus that invades this space on the disk puts the entire operation of that disk at risk.

A boot sector virus is a type of rootkit virus, and these terms are often used interchangeably.

Famous Boot Sector Viruses

The first boot sector virus was discovered in 1986. Dubbed Brain, the virus originated in Pakistan and operated in full-stealth mode, infecting 360-Kb floppies.

Perhaps the most infamous of this class of viruses was the Michelangelo virus discovered in March 1992. Michelangelo was an MBR and boot sector infector with a March 6th payload that overwrote critical drive sectors. Michelangelo was the first virus that made international news.

How Boot Sector Viruses Spread

A boot sector virus is usually spread via external media, such as an infected USB drive or other media like a CD or DVD. This typically occurs when users inadvertently leave the media in a drive. When the system is next started, the virus loads and runs immediately as part of the MBR. Removing the external media at this point does not delete the virus.

Another way this type of virus can take hold is through email attachments that contain boot virus code. Once opened, the virus attaches to a computer and may even take advantage of a user's contact list to send out replicas of itself to others.

Signs of a Boot Sector Virus

It is difficult to immediately know if you've been infected by this type of virus. Over time, however, you may have data retrieval problems or experience data completely disappear. Your computer may then fail to start up, with an error message "Invalid boot disk" or "Invalid system disk."

Avoiding a Boot Sector Virus

You can take a series of steps to avoid a root or boot sector virus.

  • Vigilance: Obviously, the first level of protection against any virus is vigilance: Never insert unknown media into your computer, and be wise about email scams, attachments, and downloads.
  • Anti-Virus protection tools: Just as importantly, however, is prevention by using a strong virus detection and prevention tool. Windows 10 ships with Windows Defender, while earlier versions of Windows ship with Microsoft Security Essentials. Microsoft recommends moving to Windows Defender for these older Windows versions. In addition, several excellent free and fee-based tools are available, including the free Malwarebytes and AdwCleaner and the very-powerful McAfee and Norton, among others. ​
  • Use a backup antivirus app. No one anti-virus application can catch 100% of all viruses (though they do try). Using a second antivirus app can increase the likelihood that if a virus slips by your first line of defense the secondary protection will catch it. Malewarebytes and AVG, among others, offer apps specifically designed to be a secondary antivirus application.
  • Software updates: Keep your software updated because software developers regularly issue patches and fixes for security holes that have been breached by hackers and viruses. In the antivirus world, you want one that updates itself on a daily basis, at least.
  • Backups: Making not only data backups but a boot disk backup can help you recover in the event of a boot sector or rootkit virus. While this is not a prevention strategy, it must be done before you get the virus.

Recovering from a Boot Sector Virus

Because boot sector viruses might have encrypted the boot sector, they can be difficult to recover from.

First, try to boot in the stripped-down Safe Mode. If you can get into safe mode, you can run your anti-virus programs to try to quell the virus.

Windows Defender now also provides an "offline" version that it will prompt you to download and run if it cannot remove a virus. Windows Defender Offline is useful for addressing rootkit and boot sector viruses because it analyzes your computer while Windows is not actually running — meaning that the virus is not running, either. You can directly access this utility by going to ​​Settings, Update & Security, and then Windows Defender. Choose Select Scan Offline.

If no virus protection software is able to identify, isolate or quarantine the virus, you may need to reformat your hard disk completely as a last resort.

In this case, you will be glad you created backups!

Was this page helpful?