MBR Virus

[atc_traffic856]

I have Symantec Norton 2003 running on my PC / Through my scans [system scan] The results are zero for all except the MBR whereas it shows 1 Infected. On the activity log which is part of the Norton 2003
authenticates the [1] in the MBR. This computer did receive a Galli type worm that is not repairable with Norton Symantec 2003, but it was at the time recognize and related that it could not repair.
The PC as mention was Reformatted etc. But this would not I believe eliminate a MBR virus as such. What would be the best avenue to eradicate the Virus? Would a zero fill do it? Or is there some other easier way to terminate it? My latest anti virus protection is pretty stable and is constantly running Live Updates, but it cannot eliminate this type of Worm inwhich I look up, it is a email mass producing type that enters through your system via HTML areas.>>

[Sylvander]

I don't know about your AV program, but AVG includes a floppy "Rescue Disk".

This makes a copy of your MBR when the Recue Disk is made and you can use this to re-build the Partition Sector, which eliminates any infection there.

The AVG Rescue Disk is a special diskette where the most important parts of your computer’s boot up data will be saved. In this backup diskette, the contents of the Partition Table, Boot sectors and some other internal data will be saved.

[atc_traffic856]

Yes my AV has the rescue facilities. But stupid me I did not make a rescue disk before the V infected my MBR. So I think I will manually remove the V rewrite the sector 0 - 0- 7 / using a sector editor. I have nothing too lose / and if I fail to rewrite it to 0-0-1 from the above. I will try the search to see if it is Int 13h handler in both Wboot Viruses/ hopefully there is a B1 07/ >>

[Paul Komski]

You don't say which OS you are using since there are other ways of getting the mbr back depending on the OS and file system (The NT-oses can keep a copy in the middle or at the end of the partition).

Write zeros to all of Sector0 (except the last 66 bytes, which are the partition tables) if you desire. Then run fdisc /mbr (DOS-based oses) or fixmbr from the recovery console (NT-based oses). Fdisk /mbr rewrites the mbr (except for the partition tables - which it doesn't touch).

Presumably there is no other drive overlay or drive compression in action. Presumably, too, all your partition boot sectors are clean as well.

BTW
Running fdisk /mbr on its own is an urban myth as a fix for boot sector viruses. See http://www.claws-and-paws.com/virus/faqs/acvfaq.2.shtml

[mjc]

First, DO NOT attempt to make a recuse disk on that machine...it is infected and will pass that on to the floppy, and render it useless!!

Second, if there is data on the drive that you wish to recover follow Paul's advice. If there is nothing on it you want to save, then go a head and zero fill the whole drive (preferrably from a write protected floppy or from a CD).

I would also shut down and unplug the machine for several minutes before attempting to boot to which ever media you choose....also repeat the shutdown again after which ever method you choose. I being a slightly paranoid type, would even take the drive, after the intial disinfection, from the machine, slave it to another drive, one kept for this purpose, and repeat the process.

[atc_traffic856]

Thk you Paul
I am running as a network on 4 PC's and the file sys vary from Fat 32 on 3 and NTFS on 1/
I had success with eliminating the NTFS MBR virus/
And took your suggestion on writing zeros to the sectors/ it was all successful / fdisk is not a 100% sure of removing MBR virus.
So I used zero fill and now have ran a scan on all nothing is showing as previously MBR > thank you for your support>>