The dangers of using FDISK/MBR to remove partition sector viruses
The partition sector [Master Boot Record or MBR] is the first sector on the hard disk. It is made up of partition executable code, error messages ['Invalid partition table Error loading operating system Missing operating system'] and the partition table.
When the PC is booted normally, and control is passed to the partition sector, the executable code in this sector is executed automatically. It's job is to check the partition table, to ensure that it is present and that it contains valid data. [The partition table contains information on the number of sectors on the disk, the number of partitions into which the disk is divided and the location of the boot sector for the active partition.] If the data in the partition table is valid, control then passes to the boot sector. If the partition table is missing, or if it contains invalid data, an error message is displayed.
FDISK /MBR [the /MBR parameter is available in MS-DOS 5.x onwards] replaces the partition executable code, without changing the partition data. Since most partition sector viruses replace [or modify] the partition executable code, leaving the partition table unchanged, FDISK /MBR is often considered to be an easy way of removing partition sector viruses. However, FDISK /MBR is not a virus removal utility and its use for this purpose may result in loss of data, as the following examples show.
FDISK makes no check of the partition table [to ensure that it contains valid data]; it assumes that anything in this location is a valid partition table. If any virus has overwritten the partition table, the use of FDISK /MBR will render the disk inaccessible. Empire Monkey virus encrypts the partition sector and re-locates it to cylinder 0, head 0, sector 3; it then replaces the partition sector with its own code. When the PC is booted from the hard disk, Empire Monkey loads into memory, decrypts the partition sector and the PC boots normally. However, if the PC is booted from a clean DOS system disk, the hard disk is inaccessible [the user will see the message 'Invalid drive specification' if he or she attempts to access the hard disk]. If FDISK /MBR is used, most of the virus code is replaced with good partition executable code [a 'stub' is left, which FDISK assumes to be a valid partition table]. In effect, FDISK removes the only mechanism available for decrypting the good partition sector.
If any disk management software, or security software, is installed on the hard disk, the partition sector may have been modified [or re-located]. If FDISK /MBR is used, in an attempt to remove a partition sector virus, the disk management software may be damaged and the drive may become inaccessible.
One-Half virus writes its code into the partition executable code and leaves the partition table unchanged. On the face of it, it would appear that FDISK /MBR could be used to remove the virus successfully [the virus code would be replaced with good executable code; and the partition table would be unchanged]. However, One-Half also encrypts data on the disk [every time the PC is booted, one cylinder is encrypted]. The virus decrypts this data 'on-the-fly' when the infected PC is booted. Since the virus is the only mechanism available for decrypting this data, FDISK /MBR will result in data loss.
FDISK /MBR SHOULD NEVER BE USED AS A VIRUS REMOVAL UTILITY.
IP: Logged
HKEd
Moderator
Posts: 1025
From:Hong Kong
Registered: Sep 2000
Moderates: Malicious code: Virii and Trojans, Music
posted 09-20-2000 07:53 AM
--------------------------------------------------------------------------------
I think it's fair to say that the use of FDISK /MBR as an AV tool has taken on a kind of mythical status on the net, and is suggested in situations that are inappropriate and where the use of it could be very damaging.
But there are occasions when it can be used successfully:
quote:
--------------------------------------------------------------------------------
As discussed above, the DOS utility FDISK has not been designed as an anti-virus tool. Anti-virus technical support personnel will always recommend running a commercial anti-virus scanner as the preferred solution to removing all types of viruses.
Yet there are a few drawbacks from doing this. From our experience working within the support departments of major anti-virus vendors, we found that in real life scanners often detected but failed to remove partition sector viruses and worse, in some cases actually lost data (such as Netware partitions, for example) whilst removing viruses.
It is for this reason that we tested the behaviour of each of the commonly found in-the-wild boot and partition sector viruses. We found that, in a number of cases, it was actually safer to run FDISK /MBR to remove a virus than run a scanner's repair mechanism.
The running of FDISK /MBR is not at all recommended as a cure-all. It can, in a number of cases actually cause loss of data. For example, it should not be run against hard drives have disk managers installed (such as dynamic drive overlay DDO software). Neither should it be run against hard drives having security or encryption software stored on the first cylinder of the hard drive (utilities that prompt for a password prior to loading the operating system).
The general rule-of-thumb regarding the running of FDISK /MBR is that, if there exists a preferable solution, it should not be run. And if it should be run to remove a virus, one should be fully aware of the characteristics of the virus that it is destined to remove and that clean booting from a startup disk should allow the hard drive to be accessed correctly (i.e. drive C: is visible, for DOS based systems).
--------------------------------------------------------------------------------
The above is from Bridge Data Security Consultants.
http://www.datasecurity.co.uk/frame.cgi?src=antv I guess the message is that it should only be used as a last resort when all else has failed, and only when it has been ascertained what type of virus it is, how many partitions are on the HDD, and whether or not the client/poster is using dual-booting or overlay software.
In other words, never even suggest it before you've had your first cup of coffee in the morning.