Boot virus
A boot virus is a computer virus that becomes active when the computer is started ( booting ) before the operating system has fully loaded. On floppy disks , the virus sits at least partially in the boot sector ; even floppy disks that do not contain any files can be infected. The virus can sit in the master boot record (MBR) or in the logical boot sector on hard drives .
Boot viruses are the oldest computer viruses of all. These viruses were the most common form of virus until 1995 . A boot sector virus infects the boot sector of floppy disks and the master boot record (MBR) of a hard disk. The boot sector is the first physical part of a floppy disk and is a sector (512 bytes) in size. The boot sector is used by startup floppy disks to enable booting from the floppy disk, but every floppy disk and hard drive has a boot sector or MBR. Boot sector viruses exploit the fact that the boot sector is always loaded first. If a user wants to boot from an infected boot diskette or if he forgets an infected diskette in the floppy disk drive when starting the computer, the BIOS accesses this sector and executes it if the BIOS boot setting is appropriate. The virus then tries to infect the hard drive's MBR to run every time the computer starts. When an infected computer starts, the MBR is loaded, which is normally responsible for recognizing the various partitions on the hard drive. The virus that is now loaded remains in the memory and monitors access to other floppy disks. When a floppy disk is placed in a computer infected with a boot sector virus, the virus becomes active in memory and infects the boot sector of the floppy disk. Nowadays there are almost no boot sector viruses because BIOS and operating systems usually have well-functioning protection. While there are experimental boot sector viruses designed to circumvent this protection, their spread is too slow to be a problem.
So-called droppers were also used to get such a virus into circulation. This is a file that writes the actual virus to the boot sector when it runs. So a dropper is a Trojan horse. Such cases used to be referred to as a hybrid virus.
Boot viruses include Form Virus , Parity Boot , Disk Killer , Michelangelo , the Stoned, and Boot-437 .
VMBRs
VMBRs represent a new variant of the idea , which start a VM when the computer starts and load the existing operating system into it. The VMBR remains accessible from outside the operating system without affecting the operating system. This is difficult to detect in the running system, even for virus scanners .
Chainloader problem
In principle, boot viruses use similar techniques to chain loaders: they overwrite the MBR with malware and jump to the original boot code that they previously copied to another location. If such a chain loader was active when infected with a boot virus, the following situation may arise:
- The chain loader or a disk overlay contains the necessary boot information
- The virus moves the chain loader / disk overlay and points to it itself
- If the boot virus is now removed by overwriting the MBR, nothing from the MBR points to the actual boot information on the disk geometry. The system can no longer access the hard disk.
- The virus moves the chain loader / disk overlay and points to it itself
Virus scanners can possibly find the overwritten code from the MBR and transfer it back. A generic overwriting of the MBR is therefore often not appropriate in these cases.