A boot sector virus infects computers at their BIOS level before the operating system even begins to load. It can also utilize DOS commands to spread across a variety of storage devices. In either case, a boot sector virus takes control of the DOS boot sector by substituting its contents with its own. This enables the virus to spread by redirecting disk reads, and in some cases, moving the MBR to another location. This causes the system to crash as it boots and corrupts the File Allocation Table (FAT) which serves as the index table on a hard disk.
An infected ﬂoppy disk or USB drive, when connected to a computer, will begin transferring the boot sector virus as its volume boot record (VBR) is being read. It will then modify or replace its own boot code so that the next time the computer is powered on, the virus is loaded and run as part of the MBR. Some variations of this virus may even encrypt a disk’s boot sector.
While physical media is the common approach for spreading the boot sector virus, it is by no means its only vehicle for doing so. Electronic implementations, like e-mail attachments, have also been known to spread it. In these cases, the virus is invoked as the email as opened. It then infects the host computer, and may even attempt to spread by targeting the email addresses in a user’s contact list.
The aforementioned volatility of a boot sector virus makes it difficult to target and remove. Users may not even know they have been infected until they run utility software which is able to detect it. In effect, it is critical to employ updated anti-virus (AV) software with large registries and definitions that can identify strands of this virus and remove it safely. In those instances where existing boot code has been extremely damaged, removing the virus may require the hard drive to be completely reformatted.
It should be noted that the evolution of computers and operating systems has offset the occurrence of boot sector viruses. DOS commands, in the booting process, have taken a back seat since Windows 95, while newer file system architecture has superseded the FAT standard on modern Windows machines. Even BIOS architecture has been improved to reduce the spread of boot sector viruses. Here, options are included to avoid any changes to a hard disk’s ﬁrst sector.
A more recent variation of the boot sector virus is the “bootkit,” often used interchangeably with the term “rootkit.” This software exploits the MBR by loading early in the booting process, and then by hiding its actions by returning a legitimate copy of the MBR when requested. Bootkits generally do not affect removable media, but can jeopardize the entire operation of a hard disk due to their imperceptibility, meaning, their components are not resident to standard file systems.