Q: Fdisk and Fdisk /MBR

Q: Fdisk and Fdisk /MBR

Post by HSutt » Mon, 10 May 1999 04:00:00



I am trying to deal with a virus in the boot sector. (The
scanner said there may be "traces".) When I tried to run
Fdisk to break up the partitions (C + D), Fdisk flashed
a warning message--possible virus. - I didn't go ahead.

Question: How can Fdisk recognize a virus?

Fdisk /MBR: This seems to be an an option to remove a
boot sector virus. But how safe/unsafe is it to run
Fdisk /MBR? And what exactly would Fdisk do?...replace
entire master boot record or part of it?
(My hard disk is empty now.)

I would appreciate your views.

TIA,
/hs

 
 
 

Q: Fdisk and Fdisk /MBR

Post by Felix Miat » Mon, 10 May 1999 04:00:00



> I am trying to deal with a virus in the boot sector. (The
> scanner said there may be "traces".) When I tried to run
> Fdisk to break up the partitions (C + D), Fdisk flashed
> a warning message--possible virus. - I didn't go ahead.
> Question: How can Fdisk recognize a virus?
> Fdisk /MBR: This seems to be an an option to remove a
> boot sector virus. But how safe/unsafe is it to run
> Fdisk /MBR? And what exactly would Fdisk do?...replace
> entire master boot record or part of it?
> (My hard disk is empty now.)

I've never had a problem with FDISK /MBR except when messing with a
machine with a BIOS enabled VIRUS PROTECTION. If you try it now, you'll
probably see the exact same message, as you probably have that option
now set to on. If you are using anti virus software, you'll probably
find that its instructions will say to disable this setting.
--
The fear of the Lord is the beginning of knowledge, but fools despise
wisdom  and discipline. Proverbs 1:7 NKJV

 Team OS/2

Felix Miata  ***  http://www.gate.net/~mrmazda

 
 
 

Q: Fdisk and Fdisk /MBR

Post by Clay Calve » Tue, 11 May 1999 04:00:00


Fdisk doesn't recognize a virus, but it may recognize that something
is 'amiss' in the MBR.  It simply rebuildss the entire master boot
record.  What was the message, and if named, what was the virus?

Fdisk /MBR is safe to run on an empty disk, IMHO, and I have used it
numerous times to eradicate viruses.  However, I only used it on
viruses that I knew didn't encrypt the MBR (Form A, Natas, Anti-Exe).
Some viruses encrypt the MBR (Monkey) and using Fdisk /MBR will make
your hard disk unreadable.

In your case I would use Fdisk /MBR from a clean boot disk.  You can
re-partition your disk without worrying about losing any data.


Quote:>I am trying to deal with a virus in the boot sector. (The
>scanner said there may be "traces".) When I tried to run
>Fdisk to break up the partitions (C + D), Fdisk flashed
>a warning message--possible virus. - I didn't go ahead.

>Question: How can Fdisk recognize a virus?

>Fdisk /MBR: This seems to be an an option to remove a
>boot sector virus. But how safe/unsafe is it to run
>Fdisk /MBR? And what exactly would Fdisk do?...replace
>entire master boot record or part of it?
>(My hard disk is empty now.)

>I would appreciate your views.

>TIA,
>/hs

Clay Calvert
Remove the "x" in my e-mail address to reply.
 
 
 

Q: Fdisk and Fdisk /MBR

Post by Frank Slootw » Tue, 11 May 1999 04:00:00


[deleted]

Quote:> I've never had a problem with FDISK /MBR except when messing with a
> machine with a BIOS enabled VIRUS PROTECTION.

  Well, FDISK /MBR will happily blow away a near-perfect partition-table
(PT). While theoritically you would not loose any data, in practice it
means that you will loose your data, because you can no longer get to
it. Since most people don't (know how to) backup their PT, it means
"lose (access to) your data". Not very nice!

  To backup your PT (+MBR): "MIRROR /PARTN". If you don't have MIRROR,
then get it (from the "supplemental" (or some such name) MS-DOS disk).

  FDISK /MBR can be very dangerous and is hardly ever needed. *IF* you
use it, then

1. make sure you have backup of your partition table, and

2. make sure that it is really the MBR (Master Boot Record) which is
   corrupt and needs fixing.

  Suggestion: before using the FDISK /MBR command, use the command:

  FDISK /STATUS

  If the reported partition configuration isn't what you expect to see,
then using FDISK /MBR will probably be useless at best and destructive
at worst.  In particular, if the signature bytes are wrong, the output
of FDISK /STATUS will report that the drive contains no partitions.

  There couldn't be a good reason that the "/MBR" switch is
undocumented, could there? Nah! :-) / :-(

 
 
 

Q: Fdisk and Fdisk /MBR

Post by Walter Gr » Tue, 11 May 1999 04:00:00


 :Fdisk doesn't recognize a virus, but it may recognize that something
 :is 'amiss' in the MBR.  It simply rebuildss the entire master boot
 :record.  What was the message, and if named, what was the virus?
 :
 :Fdisk /MBR is safe to run on an empty disk, IMHO, and I have used it
 :numerous times to eradicate viruses.  However, I only used it on
 :viruses that I knew didn't encrypt the MBR (Form A, Natas, Anti-Exe).
 :Some viruses encrypt the MBR (Monkey) and using Fdisk /MBR will make
 :your hard disk unreadable.

Excuse ignorance, why does encryption matter? Can't fdisk (or
some other util) just write a fresh MBR regardless of whatever
mess was there before?

Walter

Disclaimer: My employer is not responsible for the above.
If you want to email me, please use a valid From: address.

 
 
 

Q: Fdisk and Fdisk /MBR

Post by HSutt » Tue, 11 May 1999 04:00:00


Thank you everyone for your comments.

This happened two weeks ago. Since then I have been
reading up on the stuff so I can understand this a little
better before I do anything. At least I know now what an
MBR is and what an encrypting virus does--back then I didn't.

I don't remember exactly what Fdisk's message was, but in
essence it said that there was possibly a virus and did I
want to continue (with collapsing the partition). I didn't.
(I have now checked the bios: it has 'C000 Write Protect 64K'
enabled. Could this have caused the message?)

The scanner had named the virus and I wrote it down--but
misplaced the paper. (It was Letters and figures, I think.)
Another scanner had detected nothing.

The disk is unformatted now: I did a 'government wipe'
with Norton. And it was after the wipe that I tried to run
Fdisk (without options)--and got that message.

So once the disk is reformatted, I'll scan for the name of
the virus again--to make sure it isn't one that encrypts the
MBR, as you said. - Of course, I won't use the /MBR option
unless I have to--and try to take precautions if I do.
(Backing up PT (+MBR), as someone suggested, would be
impossible at this stage. But I'll remember it.)

I am grateful for your explanations. Different people had
told me different things (e.g., Fdisk /MBR), but none of
them had actually experienced a virus. And everyone agreed
that I shouldn't have done what I did. Well, this was my
first time...

/hs


>Fdisk doesn't recognize a virus, but it may recognize that something
>is 'amiss' in the MBR.  It simply rebuildss the entire master boot
>record.  What was the message, and if named, what was the virus?

>Fdisk /MBR is safe to run on an empty disk, IMHO, and I have used it
>numerous times to eradicate viruses.  However, I only used it on
>viruses that I knew didn't encrypt the MBR (Form A, Natas, Anti-Exe).
>Some viruses encrypt the MBR (Monkey) and using Fdisk /MBR will make
>your hard disk unreadable.

>In your case I would use Fdisk /MBR from a clean boot disk.  You can
>re-partition your disk without worrying about losing any data.

 
 
 

Q: Fdisk and Fdisk /MBR

Post by Rez » Tue, 11 May 1999 04:00:00



> Thank you everyone for your comments.

> This happened two weeks ago. Since then I have been
> reading up on the stuff so I can understand this a little
> better before I do anything. At least I know now what an
> MBR is and what an encrypting virus does--back then I didn't.

> I don't remember exactly what Fdisk's message was, but in
> essence it said that there was possibly a virus and did I
> want to continue (with collapsing the partition). I didn't.
> (I have now checked the bios: it has 'C000 Write Protect 64K'
> enabled. Could this have caused the message?)

Maybe. Sounds like a primitive virus protection scheme.

Quote:> The scanner had named the virus and I wrote it down--but
> misplaced the paper. (It was Letters and figures, I think.)
> Another scanner had detected nothing.

> The disk is unformatted now: I did a 'government wipe'
> with Norton. And it was after the wipe that I tried to run
> Fdisk (without options)--and got that message.

If you had a boot sector virus, reformatting will NOT get rid of it.

Boot from a KNOWN CLEAN WRITE-PROTECTED FLOPPY. This will ensure that
any lurking virus isn't loaded from your hard disk's boot sector.

Run FDISK ***FROM THE FLOPPY***.

NOW your HD is clean and you can start reloading stuff. Be sure to scan
ALL your floppies, as any that were written to while a HD was infected
are ALSO infected and can reinfect the system.

 
 
 

1. fdisk /mbr - what does it *really* do? (was Re: fdisk /mbr doesn't work

   FDISK /MBR is not a "cure-all" for boot sector problems. It can help getting
   rid of certain viruses, and it is useful if the code part of the MBR gets
   corrupted for some reason.

Just out of curiosity, does anyone know what FDISK /MBR
really does?

I was under the impression that it writes the boot code in
the master boot record.  Does it also write something in the
boot sector as well?

I'm using DOS 5.0 and there's no documentation about the
/MBR option and have been wanting to know what it *really*
does..

Your response would be much appreciated.

--
Fumiaki Kamiya

2. Announcing RDATE for UCX on VMS

3. fdisk /mbr help

4. AutoCAD Release 12 (dos) screen saver needed....

5. FDISK/MBR To Kill Disk Manager???

6. Exiting jot logs user out?

7. Sys c: , fdisk /mbr review wanted

8. List directories in C

9. FDISK /MBR (WAS RE:??????

10. fdisk /mbr

11. FDISK /MBR to clean virus,how?

12. fdisk /mbr problem

13. FDISK /mbr