[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntsecurity
Subject:    Betr.:: [NTSEC] fdisk /mbr (was: Boot Record Munged, Film At
From:       "Toralv Dirro" <Toralv.Dirro () de ! drsolomon ! com>
Date:       1998-01-30 14:18:11
[Download RAW message or body]


TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------


>>Yes, I did do fdisk /mbr  ... this is the only way to get rid of some boot 
>>sector viruses. The problem I ran into was that even with that done the
>>partitions were squicked. I ended up repartitioning the drive and 
>>reformatting without a problem.
>
>Not at all surprising.  fdisk /mbr rewrites the boot information around the 
>partition table.  (This is some minimal programming that interprets the 
>partition table data, and hands off to the OS boot sector.)  fdisk /mbr will 
>*not* do anything to recover the partition table itself.

As mentioned before, most viruses that infect the mbr will leave the 
partition table itself untouched, so you can happily remove viruses like 
parity.b using this method. The only viruses that actually are in the wild 
that cannot be removed this way are stoned.empire.monkey, exebug and 
neuroquila. So before using fdisk /mbr you should boot clean (MS-DOS 
bootdisk) and check the partition (fdisk | display partition information) 
if they look ok.


>>The idea was to boot using a DOS floppy and virus scan and fdisk, etc.. 
>>BUT ... the question is would fdisk /mbr work on a hard drive that was 
>>100% NTFS with no dos? 
>
>If it was able to do anything at all (see above), yes, it would work under DOS.
>You wouldn't be able to read the logical part of the disk, but fdisk doesn't 
>work at that level anyway.  (Of course, the virus scanner *does* work at the 
>higher level, so it wouldn't be able to see anything.  I suspect that most 
>scanners don't even try to scan the MBR before telling you that C: doesn't 
>exist.)

Not quite. Virus scanner first read the mbr physically, check it for a 
virus. Then they read the bootsectors of the partitions physically, 
checking them for viruses. After that they start to read the files 
(logically). Failure to access the files due to an unknown filesystem 
should not affect reading mbr/bs in any way.

BTW, some scanners only scan mbr/bs of the first harddisk and there may be 
general problems accessing other than the first two disks from DOS.


regards,
Toralv Dirro
Dr Solomon's Software GmbH

[prev in list] [next in list] [prev in thread] [next in thread]