Embedded in system memory and spread via physical media, the boot sector virus has a decades-long history since the early days of computing. Boot sector viruses are especially dangerous as they seize control of the computer system before any anti-virus mechanisms can activate.
Instances of this virus type have varied greatly in their severity and extent of distribution over the years. In this article, we analyze boot sector virus examples and the impacts of their infections on computer systems and software.
Boot Sector Virus – Brief Definition & Overview
The boot sector virus is a type of malware that embeds its starting code in the boot sector of a storage device. The virus moves into the system memory once the computer attempts to read and execute the program in the boot sector.
In this way, the virus can take control of basic computer operations. Once in memory, the boot sector virus can spread to other drives, such as floppy and network drives.
Note the following definition and explanation in Computer Viruses and Malware (2006):
A virus that infects by copying itself to the boot block. It may copy the contents of the former boot block elsewhere on the disk first, so that the virus can transfer control to it later to complete the booting process… [I]nfecting the boot sector is strategically sound: the virus may be in a known location, but it establishes itself before any anti-virus software starts or operating system security is enabled.Aycock, John. Computer Viruses and Malware. New York: Springer, 2006.
In short, boot sector viruses can essentially achieve the following:
- Shift or overwrite the original boot sector of a disk
- Replace the boot sector with the virus itself
- Generate bad disk sectors
‘Boot Sector Infectors’ (BSI) is an older term for the boot sector virus. ‘Master Boot Record (MBR) infections’ may refer to a type of boot sector virus, but not in every case.
Here Are Four Boot Sector Virus Examples:
(1) Elk Cloner – Created 1981
Whilst previous malware existed only within testing systems and private networks, Elk Cloner is the first in-the-wild computer virus; It was a virus that spread and affected users in a real-world setting for the first time.
Elk Cloner affected Apple II computers and spread via the floppy disk drive, manipulating the boot record directly as Apple II systems had the OS stored externally on a floppy disk. The virus printed a poem on-screen with every 50th reboot of the computer and also marked its victims by writing a signature bit on the disk directory.
Elk Cloner was created by 15-year old Richard Skrenta in 1981 as a joke among friends. Although it had no malicious effects, it is still termed a virus owing to its replicative nature.
Elk Cloner Virus Overview:
- Name: Elk Cloner
- Type: Boot sector
- Affected: Apple DOS 3.3 OS
- Created: 1981
- Country of Origin: USA
(2) Brain – Created 1986
Brain originated as a non-malicious, anti-piracy measure for medical software that spread worldwide from Pakistan. The virus infects only the boot sector of IBM PC floppy disks with a 360 KB capacity.
Whilst relatively benign, coding bugs led to the possibility of data scrambling in the FAT and diskette files, which ultimately caused data loss. Floppy drives were slowed and rendered unusable in some cases. Notably, Brain made novel use of obfuscation techniques in the boot sector, making it the first stealth virus. By monitoring disk input/output activity, Brain re-directs reading attempts of the infected sector to the area where the original boot sector is located. F-secure explains:
The Brain virus tries to hide from detection by hooking into INT 13. When an attempt is made to read an infected boot sector, Brain will just show you the original boot sector instead. This means that if you look at the boot sector using DEBUG or any similar program, everything will look normal, if the virus is active in memory.
“Brain.” F-Secure. https://www.f-secure.com/v-descs/brain.shtml.
Brain Virus Overview:
- Name: Brain (Aliases: Lahore, Pakistani virus, Pakistani Brain)
- Type: Boot sector
- Affected: IBM PC
- Created: 1986
- Country of Origin: Pakistan
(3) Stoned – Created 1987
The Stoned virus was intentionally non-malicious and only periodically printed the message “Your PC is now stoned!” on screen. Stoned ranked as one of the most widespread computer viruses in existence.
Seemingly, Stoned was designed to work on disks with no more than 96 files in the boot directory. Disks with more than this were common and were likely to experience major damage as important files were unintentionally overwritten.
Professor Melius Weideman Ph.D writes on this aspect of Stoned:
A part of the root directory on 5, 2S-inch diskettes was overwritten by the [Stoned virus] boot code. This would only cause a problem if the diskette contained more than 96 files in the root directory, since directory entries for files 97 and up normally occupied the sector to be overwritten. The files in question therefore would lose their root directory entries, but no change would be made to their actual contents.
A further experiment was carried out on test Disk One. The diskette was infected, and files were added to the diskette until the 96 count was exceeded. As expected, the moment the file count exceeded 96, the boot sector was overwritten, making that diskette unbootable.
Weideman, Melius. A critical evaluation of the destructive impact of computer viruses on files stored by personal computer users. Master’s thesis, Cape Technikon, 1994.
Like many other boot sector virus examples, Stoned gave rise to a large number of variants, such as, NoInt, Flame and Angelina. Flame utilized a date checking mechanism. Exactly 30 days after infection, the virus overwrites vital areas of the disk and displays a picture of flashing flames.
Stoned Virus Overview:
- Name: Stoned (Aliases: Marijuana, Hemp, New Zealand)
- Type: Boot sector
- Affected: MS DOS OS
- Created: 1987
- Country of Origin: New Zealand (unconfirmed)
(4) Michelangelo – Detected 1991
Michelangelo is a virus that infects the MBR and formats hard disk sectors on the 6th of March every year. Although structurally resembling Stoned, Michelangelo successfully infect disks with more than 96 boot directory files.
Michelangelo initiates a malicious payload if the infected computer is booted on the 6th of March. It works to overwrite hard disk data with random characters – including the root directory and FAT. This combination renders the hard drive useless, making data and MBR recovery essentially impossible.
Michelangelo was heavily reported by the mainstream media. Some anti-virus companies and experts, such as John McAfee, made predictions of global computer outages on March 6 1992, with some estimating damages of more than 50 million dollars. Ultimately, Michelangelo failed to have its predicted global impact. Researchers state that less than 20 000 computers were harmed by the Michelangelo virus world wide, far less than the suggested millions.
Michelangelo Virus Overview:
- Name: Michelangelo (Aliases: March6)
- Type: Boot sector
- Affected: IBM PC
- First detected: 1991
- Country of Origin: Unknown, first detected in Australia
List of 14 Boot Sector Virus Names (1982-1997):
Here are 14 names of boot sector viruses which were created and first detected between 1982 to 1997:
- Elk Cloner (Created 1982)
- Brain (Created 1986)
- Stoned (Created 1987)
- Parity Boot virus (Detected 1980s)
- Denzuko (Detected 1988)
- Ping-Pong virus (aka Italian) (Detected 1988)
- Lamer Exterminator (Detected 1989)
- Michelangelo (Detected 1991)
- NoInt (Detected 1991)
- AntiCMOS (aka Lenart) (Detected 1994)
- Crazy_Boot (Detected 1995)
- AntiEXE (Detected 1995)
- Angelina (Detected 1995)
- Barrotes (aka Boot-347) (Detected 1997)
Can you list any more examples of boot sector viruses? Feel free to submit them in the comments section below.