Wednesday, October 18, 2006

what is a boot sector virus

a boot sector virus (or boot sector infector, or BSI) is a is a virus that infects a special kind of program called a bootstrap loader...

pure boot sector viruses spread by way of shared floppy disks - when one person gave another person a disk with a BSI on it and the second person booted their computer from that disk (sometimes accidentally) the BSI would execute and infect the hard disk (if one was available - early computers didn't always have hard disks) and/or any flopply disks that were subsequently inserted into the computer during that session...

some viruses were able to infect not only boot sectors but also conventional programs like *.EXE files - these were called multi-partite viruses...

on PC's, contrary to a popular misconception at the time, BSI's were never able to infect the machine simply be inserting an infected disk, a virus always has to be executed or run in some way before it can do anything and boot sectors (infected or otherwise) only get executed during bootup... other mitigating factors for BSI spread were the introduction of BIOS options to prevent booting from floppy disks (generally by way of changing the boot priority to attempt booting from the hard drive first or exclusively) and to monitor changes to the master boot record and give the user the opportunity to prevent those changes... one of the final nails in the coffin of BSI's was windows 95 (and later) which prevented BSI's from being able to spread after the operating system had loaded (giving the viruses too small a window of opportunity to spread)...

back to index

2 comments:

Admiral Norton said...

You are wrong. These viruses can spread simply by leaving the infected diskette in the drive when starting the computer. A defense against them is to place floppy after hard disk in BIOS loading sequence.

kurt wismer said...

i'm sorry but you've clearly misunderstood what i wrote... when you leave the floppy disk in the drive while starting the computer attempts to boot from that disk... therefore i covered the scenario you're describing in the second paragraph of my post...

the misconception i was talking about later in the post was the belief that simply inserting the disk (after bootup had finished) caused the virus to execute automatically... what was actually happening was that the boot sector was read into memory (in order to parse the file system) but not executed so the computer didn't actually get infected even though scanners would detect the virus' presence in memory...