-
1
- #1
I entered the original post several days back. The replies from Alt255 have been so helpful that I'm pasting the entire thread here in case the information might assist someone else, or perhaps prompt further comment.
porty, New Zealand.
-----------------------------------------------------------
I'm running Norton AntiVirus 2001 on a W98 2nd Ed. 466 PC.
While I was on the net just now, I got a message telling me:
"Your Boot Record, which contains critical Startup information, has changed........"
It gave me the following 3 options:
1.The change to my boot record is ok. Update the saved copy of my boot record.
2.The change is unexpected. Restore my boot record to ensure it does not contain a virus.
3.Ignore the change and do nothing.(Remember to run LiveUpdate and then scan with Norton AntiVirus)
I opted for #3 (did nothing)but updated the virus definitions and did a scan. However, all that happened was I got another of the same messages.
I remember this happened a couple of years back and I selected the restore option and crashed Windows completely - had to re-install. Someone told me later that there's no way you should restore your boot record.
What should I do? I've rebooted and nothing seems untoward. Why do these messages originate? Is there no way to run a backup of the MBR that you can restore like the registry backup?
I'm puzzled........
-----------------------------------------------------------
Alt255 (Programmer) Feb 14, 2001
Windows writes to boot records almost every day. This usually occurs the first time a disk is accessed in a session (hard drive or floppy). Windows changes an eight byte field in the boot record (starting with the fourth byte) called the OEM ID. At one time, before the advent of Windows, this field was used to hold an identifier to indicate which OS had originally formatted the disk. Windows makes better use of the space by placing a marker to indicate that the disk has been accessed at least once in the current session.
Usually, virus checkers will understand the nature of this write and allow it without warning. Sometimes, depending on the AV's level of paranoia, it will trip an alarm and ask you if the activity is permissable. It's a shame that most virus checkers don't give you more data to allow an informed decision: "Hey dude! Windows is reminding itself that it has accessed your D: drive. Are you going to let that happen?" or This is to inform you that an unknown application has overwritten the boot record on C: with 512 bytes of deadly viral code. Would you like to reboot now to allow it a chance to infect your other drives?"
I guess software will never be that "smart". Now-a-days, you should maintain a certain level of paranoia at all times. Don't sweat it but, unless you have told Windows to modify the boot record (say, by changing the volume label), you should be suspicious of any write to this disk area... permissable or not. Ya just never know....
------------------------------------------------------------
porty (TechnicalUser) Feb 15, 2001
Thanks for your input.
No,I'd done nothing like changing the volume label to instigate any action, I was just online, surfing about the net.
I did a full scan afterwards and apart from the same Warning screen as showed up before, it reported no viruses were found. But the warning screen has shown up several times since, with no apparent cause, and does so every time I kick off another scan.
I find the whole thing very confusing. In retrospect, I must confess I don't even know what the boot record does. Or what a boot sector virus does. Is it counter-productive to restore an earlier boot record? Could it result in me needing to re-install Windows, as I was told a few years back by a Symantec telephone tech?
But if I do have some kind of gremlin lurking in my computer's innards, what on earth can it be doing? I mean, what is the point of a virus that doesn't actually do something?
And if I do have a virus, what's the point of Norton telling me about it, if indeed, the cure is worse than the disease and fixing it will result in Windows needing to be re-installed?
That in itself is kind of silly - it's like going to the doctor with some unpleasant symptoms and the doctor saying, 'Yes, you're right, you do have a disease. Please pay the receptionist on your way out'.
Unfortunately, the Norton program doesn't come with much in the way of documentation on the subject, and their website isn't exactly overburdened with answers either. I seem to recall that several years back, they used to have a pretty good knowledge base but so far I haven't dug it up.
Seems to me that I don't have too many options - I either restore the boot record and risk having to rebuild Windows or accept the new, changed boot record as normal, with whatever accompanying consequences might ensue.
------------------------------------------------------------
Alt255 (Programmer) Feb 15, 2001
If I read your posts correctly, NAV is reporting attempts to write to the boot record. It isn't reporting that it has found a virus.
I would suggest that you leave the boot record alone. Unless NAV actually reports a virus, go ahead and allow it to update its boot record information. If NAV scans the disk and actually finds a virus it will ask you for permission to repair the damage. It will probably tell you that you need to boot to a floppy with the DOS version (NAVDX) to remove the virus. Allow NAV to do its thing.
It would be incredibly unlikely to find an active boot sector virus on a system running NAV with auto-protection. The reason for this is that the boot sector is only 512 bytes long and every byte of it, except for Volume Label, the Volume Serial Number and the OEM ID, is critical for loading and initializing DOS. There isn't much room to hide a virus.
Boot sector viruses work by moving the real boot sector to another location on the disk and then replacing the code in sector #1. When you boot to the disk, instead of initializing the DOS loader, the loader portion of the virus starts and points to the remainder of the viral code (usually located at the end of the physical disk and most often residing in clusters the virus has marked as "bad" -- this prevents DOS from overwriting it with files). After the virus is fully active, has verified its own integrity and possibly infected other hard drives or floppies, it activates the DOS loader code in the copy of the boot sector it made when it infected the disk. DOS starts, Windows starts and everything appears to be normal.
Just remember that the virus loads before the OS and it is in absolute control. Ready to infect other disks or deliver a "payload" at its own convenience.
The payload varies. Some boot-sector virues (like StealthB and StealthC) only seek to spread to other disks (in the case of the two mentioned, there is an unintentional side-effect of FAT corruption).
The Stoned virus tells you that your computer is stoned and corrupts the FAT (if you ever boot to a floppy and a DIR C: shows you several screens of hieroglyphs, you are probably looking at an example of FAT corruption).
The Michaelangelo virus waits until the birthday of Michaelangelo and then encrypts the first 33 sectors of the hard drive (basically ruining it). There are countless variations to these schemes but my earlier point holds true for practically all of them. If you have enabled auto-protection on a modern anti-virus package you should never have to worry about infection by a boot-sector virus. There are a couple of reasons for this:
1) No self-respecting virus author would try to create a new boot sector virus because (see #2)
2) They are incredibly easy to detect, prevent and remove.
The virus authors realized quite some time ago that the boot sector is a very poor place to hide a virus. Almost every byte has to be accounted for in order to start a system and anything that can't be accounted for is likely to trigger a red-flag:
1) In the CMOS anti-virus feature, if enabled. This feature comes with almost all modern boards. Whenever something attempts to write to the boot sector this feature will pause the system and ask you if you want to allow the write. If you have decent anti-virus software you can toggle this feature off in system setup.
2) In Windows. Windows probably won't load properly unless the virus was written to provide some accomodations for it. In the case of the StealthB virus, it steals a portion of the first meg of RAM and tries to hide itself from AVs by fooling the system into believing that the first meg is actually 64kb smaller than a full meg. It worked quite well under Win3x but Win95 didn't buy the ruse and crashed. I first detected this virus on a malfunctioning system when I booted to MS-DOS and did a MEM command. The computer appeared to have less than 640kb of conventional memory. I booted to a floppy with NAV and it repaired the damage without incident.
3) In the anti-virus software. Any attempt to write to the boot record should trigger an alert. If the software is sufficiently sophisticated, like NAV 200x, it should be able to distinguish between legal writes by the OS and illicit writes by a virus.
My advice for you is to boot to a known, clean boot floppy with a copy of NAVDX.EXE. It is important that you do this after booting to a clean floppy. Some viruses are difficult to detect after they go resident and even the best AVs may miss them. Scan the hard drives and follow the recommendations. If you actually have a boot sector virus, NAV should inform you of that fact the instant it starts. Do not attempt to manually restore an earlier copy of the boot record (even allowing NAV to do this can be risky but you may not have a choice). There are a thousand ways where this could give you bad results. For instance, if one of your drives was installed using a firmware drive overlay like EZ-Drive, you will probably end up losing everthing on the disk and be forced to do a low-level format in order to use the disk again (an ordinary format probably won't do the trick).
I don't have a copy of NAV 2001, so I can't check, but I'm pretty sure you will find a "sensitivity" setting you can adjust to ignore lawful disk activity.
My SWAG is that you don't have a virus... but that is only a guess so don't rely on it. Run NAV from a clean floppy to find out. Even then, don't assume your system is clean. Be proactive: make frequent backups and always be prepared for the worst.
There is a new forum at Tek-Tips called General Virus Discussion. You will find it in the MIS/IT area. It may be best to move this discussion to that forum. There may be members with different recommendations who have seen things that I missed in your posts. In order to let the members know about the points that have already been discussed, you should copy the entire "Boot Record Changed?" thread and paste it into a new post in the General Virus Discussion forum.
Good luck!
------------------------------------------------------------
porty (TechnicalUser) Feb 15, 2001
Thank you for the best reply I've ever had to a forum question - it's extremely comprehensive and legible and answers my query thoroughly. I'll take your advice and go through the routines you've suggested - I'll also post this entire thread to the General Virus Discussion forum so that this information is available to as many members as possible.
Once again - many thanks.
------------------------------------------------------------
porty, New Zealand.
-----------------------------------------------------------
I'm running Norton AntiVirus 2001 on a W98 2nd Ed. 466 PC.
While I was on the net just now, I got a message telling me:
"Your Boot Record, which contains critical Startup information, has changed........"
It gave me the following 3 options:
1.The change to my boot record is ok. Update the saved copy of my boot record.
2.The change is unexpected. Restore my boot record to ensure it does not contain a virus.
3.Ignore the change and do nothing.(Remember to run LiveUpdate and then scan with Norton AntiVirus)
I opted for #3 (did nothing)but updated the virus definitions and did a scan. However, all that happened was I got another of the same messages.
I remember this happened a couple of years back and I selected the restore option and crashed Windows completely - had to re-install. Someone told me later that there's no way you should restore your boot record.
What should I do? I've rebooted and nothing seems untoward. Why do these messages originate? Is there no way to run a backup of the MBR that you can restore like the registry backup?
I'm puzzled........
-----------------------------------------------------------
Alt255 (Programmer) Feb 14, 2001
Windows writes to boot records almost every day. This usually occurs the first time a disk is accessed in a session (hard drive or floppy). Windows changes an eight byte field in the boot record (starting with the fourth byte) called the OEM ID. At one time, before the advent of Windows, this field was used to hold an identifier to indicate which OS had originally formatted the disk. Windows makes better use of the space by placing a marker to indicate that the disk has been accessed at least once in the current session.
Usually, virus checkers will understand the nature of this write and allow it without warning. Sometimes, depending on the AV's level of paranoia, it will trip an alarm and ask you if the activity is permissable. It's a shame that most virus checkers don't give you more data to allow an informed decision: "Hey dude! Windows is reminding itself that it has accessed your D: drive. Are you going to let that happen?" or This is to inform you that an unknown application has overwritten the boot record on C: with 512 bytes of deadly viral code. Would you like to reboot now to allow it a chance to infect your other drives?"
I guess software will never be that "smart". Now-a-days, you should maintain a certain level of paranoia at all times. Don't sweat it but, unless you have told Windows to modify the boot record (say, by changing the volume label), you should be suspicious of any write to this disk area... permissable or not. Ya just never know....
------------------------------------------------------------
porty (TechnicalUser) Feb 15, 2001
Thanks for your input.
No,I'd done nothing like changing the volume label to instigate any action, I was just online, surfing about the net.
I did a full scan afterwards and apart from the same Warning screen as showed up before, it reported no viruses were found. But the warning screen has shown up several times since, with no apparent cause, and does so every time I kick off another scan.
I find the whole thing very confusing. In retrospect, I must confess I don't even know what the boot record does. Or what a boot sector virus does. Is it counter-productive to restore an earlier boot record? Could it result in me needing to re-install Windows, as I was told a few years back by a Symantec telephone tech?
But if I do have some kind of gremlin lurking in my computer's innards, what on earth can it be doing? I mean, what is the point of a virus that doesn't actually do something?
And if I do have a virus, what's the point of Norton telling me about it, if indeed, the cure is worse than the disease and fixing it will result in Windows needing to be re-installed?
That in itself is kind of silly - it's like going to the doctor with some unpleasant symptoms and the doctor saying, 'Yes, you're right, you do have a disease. Please pay the receptionist on your way out'.
Unfortunately, the Norton program doesn't come with much in the way of documentation on the subject, and their website isn't exactly overburdened with answers either. I seem to recall that several years back, they used to have a pretty good knowledge base but so far I haven't dug it up.
Seems to me that I don't have too many options - I either restore the boot record and risk having to rebuild Windows or accept the new, changed boot record as normal, with whatever accompanying consequences might ensue.
------------------------------------------------------------
Alt255 (Programmer) Feb 15, 2001
If I read your posts correctly, NAV is reporting attempts to write to the boot record. It isn't reporting that it has found a virus.
I would suggest that you leave the boot record alone. Unless NAV actually reports a virus, go ahead and allow it to update its boot record information. If NAV scans the disk and actually finds a virus it will ask you for permission to repair the damage. It will probably tell you that you need to boot to a floppy with the DOS version (NAVDX) to remove the virus. Allow NAV to do its thing.
It would be incredibly unlikely to find an active boot sector virus on a system running NAV with auto-protection. The reason for this is that the boot sector is only 512 bytes long and every byte of it, except for Volume Label, the Volume Serial Number and the OEM ID, is critical for loading and initializing DOS. There isn't much room to hide a virus.
Boot sector viruses work by moving the real boot sector to another location on the disk and then replacing the code in sector #1. When you boot to the disk, instead of initializing the DOS loader, the loader portion of the virus starts and points to the remainder of the viral code (usually located at the end of the physical disk and most often residing in clusters the virus has marked as "bad" -- this prevents DOS from overwriting it with files). After the virus is fully active, has verified its own integrity and possibly infected other hard drives or floppies, it activates the DOS loader code in the copy of the boot sector it made when it infected the disk. DOS starts, Windows starts and everything appears to be normal.
Just remember that the virus loads before the OS and it is in absolute control. Ready to infect other disks or deliver a "payload" at its own convenience.
The payload varies. Some boot-sector virues (like StealthB and StealthC) only seek to spread to other disks (in the case of the two mentioned, there is an unintentional side-effect of FAT corruption).
The Stoned virus tells you that your computer is stoned and corrupts the FAT (if you ever boot to a floppy and a DIR C: shows you several screens of hieroglyphs, you are probably looking at an example of FAT corruption).
The Michaelangelo virus waits until the birthday of Michaelangelo and then encrypts the first 33 sectors of the hard drive (basically ruining it). There are countless variations to these schemes but my earlier point holds true for practically all of them. If you have enabled auto-protection on a modern anti-virus package you should never have to worry about infection by a boot-sector virus. There are a couple of reasons for this:
1) No self-respecting virus author would try to create a new boot sector virus because (see #2)
2) They are incredibly easy to detect, prevent and remove.
The virus authors realized quite some time ago that the boot sector is a very poor place to hide a virus. Almost every byte has to be accounted for in order to start a system and anything that can't be accounted for is likely to trigger a red-flag:
1) In the CMOS anti-virus feature, if enabled. This feature comes with almost all modern boards. Whenever something attempts to write to the boot sector this feature will pause the system and ask you if you want to allow the write. If you have decent anti-virus software you can toggle this feature off in system setup.
2) In Windows. Windows probably won't load properly unless the virus was written to provide some accomodations for it. In the case of the StealthB virus, it steals a portion of the first meg of RAM and tries to hide itself from AVs by fooling the system into believing that the first meg is actually 64kb smaller than a full meg. It worked quite well under Win3x but Win95 didn't buy the ruse and crashed. I first detected this virus on a malfunctioning system when I booted to MS-DOS and did a MEM command. The computer appeared to have less than 640kb of conventional memory. I booted to a floppy with NAV and it repaired the damage without incident.
3) In the anti-virus software. Any attempt to write to the boot record should trigger an alert. If the software is sufficiently sophisticated, like NAV 200x, it should be able to distinguish between legal writes by the OS and illicit writes by a virus.
My advice for you is to boot to a known, clean boot floppy with a copy of NAVDX.EXE. It is important that you do this after booting to a clean floppy. Some viruses are difficult to detect after they go resident and even the best AVs may miss them. Scan the hard drives and follow the recommendations. If you actually have a boot sector virus, NAV should inform you of that fact the instant it starts. Do not attempt to manually restore an earlier copy of the boot record (even allowing NAV to do this can be risky but you may not have a choice). There are a thousand ways where this could give you bad results. For instance, if one of your drives was installed using a firmware drive overlay like EZ-Drive, you will probably end up losing everthing on the disk and be forced to do a low-level format in order to use the disk again (an ordinary format probably won't do the trick).
I don't have a copy of NAV 2001, so I can't check, but I'm pretty sure you will find a "sensitivity" setting you can adjust to ignore lawful disk activity.
My SWAG is that you don't have a virus... but that is only a guess so don't rely on it. Run NAV from a clean floppy to find out. Even then, don't assume your system is clean. Be proactive: make frequent backups and always be prepared for the worst.
There is a new forum at Tek-Tips called General Virus Discussion. You will find it in the MIS/IT area. It may be best to move this discussion to that forum. There may be members with different recommendations who have seen things that I missed in your posts. In order to let the members know about the points that have already been discussed, you should copy the entire "Boot Record Changed?" thread and paste it into a new post in the General Virus Discussion forum.
Good luck!
------------------------------------------------------------
porty (TechnicalUser) Feb 15, 2001
Thank you for the best reply I've ever had to a forum question - it's extremely comprehensive and legible and answers my query thoroughly. I'll take your advice and go through the routines you've suggested - I'll also post this entire thread to the General Virus Discussion forum so that this information is available to as many members as possible.
Once again - many thanks.
------------------------------------------------------------
