2.8 Removing a DOS Virus

A good antivirus scanner will clean up the bug without harming your system. Just make sure you remember to cold boot with a known, write-protected, clean diskette first. If you have this option, use it first. When an antivirus program finds a virus it will offer to disinfect the file or disk, if possible. If I don't trust the antivirus program to remove the virus without affecting the structure of the original host, I will make a copy of the host first and run the cleaning process on the copy. For example, many antivirus programs cannot remove a macro virus from a document without removing any other legitimate macros that may be present. In some cases, removing the virus can make a small problem worse .

If you don't have a good antivirus program handy, here are some other hints:

1. Use FDISK /MBR to remove a hard disk virus.

FDISK.EXE is a utility that helps logically partition hard drives . If you have a virus that infects only the partition table, you can use FDISK to delete and recreate all DOS partitions. This effectively rewrites the partition table and overwrites the first few tracks of the hard drive. Unfortunately, this effectively destroys all data on the hard disk, too. Most hard drive boot viruses infect the MBR or boot sector. Rewriting the partition table does not recreate the MBR. Any virus hiding out in the MBR would still be able to infect the newly formatted disk. This is why somebody who formatted his hard drive will rightly claim the virus lived through the reformat .

FDISK has an undocumented (well, it's been written about so many times now that it's hard to call it undocumented anymore) command line parameter, /MBR . Using this command, FDISK /MBR , will rewrite an MBR and remove an MBR virus from a hard disk. I've used it several times with great success. However, caution must be used and the exact type of virus identified ahead of time. FDISK /MBR rewrites the MBR, but not the partition table. There are several viruses that manipulate the MBR and partition table in such a way that using FDISK /MBR will cause more damage, including Monkey , Music Bug, and Exebug .

Do not use FDISK /MBR if any of the following is true: If any special drive utilities (like Disk Manager or EZDrive) are used to access the disk. If virus encrypts the MBR, partition table, or data. If the hard disk has more than four logical partitions. If the hard disk has dual-boot partitions. If the disk is dual- booted with NT. Using FDISK /MBR will cause more problems than it solves if those situations exist. To find if your infected hard disk is a candidate for the FDISK /MBR removal method, boot with a known clean, write-protected, DOS boot diskette with FDISK.EXE on it. Check for drive C. If it isn't reachable or seems corrupted, then your MBR or partition table has been modified from the DOS original. Don't use FDISK /MBR to remove the virus. If you can't use FDISK /MBR, try using a program made exclusively to repair logical hard disk damage (e.g., Norton Disk Doctor ). Be sure to make an Undo diskette if prompted. Run SYS C: to clean the boot sector of your hard drive after you've run FDISK /MBR to clean up any virus code hiding in the operating system boot sector.

2. Use SYS A to remove a boot sector virus from a floppy diskette.

The SYS.COM command will cleanly rewrite a new DOS boot sector to a floppy diskette or hard drive and copy new DOS boot files. This will effectively remove any boot virus. You just have to make sure that the destination disk has enough room on it for the three system files ( IO.SYS , MSDOS.SYS , and COMMAND.COM ) that SYS.COM copies. If a diskette doesn't have enough room to fit the new system files, but you need to keep the diskette, copy the data files to a temporary place, run SYS.COM on the floppy diskette, delete the new system files, and then copy the original files back. It's a pain, but it works.

3. The extreme: Reformat using FORMAT X: /U /S.

Reformatting your floppy or hard disk is an extreme way to get rid of a computer virus. In my career, I've never had to do it. However, some people don't feel safe unless their disks have been formatted to remove any trace of viral code. Unfortunately, formatting a disk means erasing all the good data as well. If you feel compelled to format an infected disk or diskette, make sure you use the /S parameter, which rewrites the boot sector; and the /U parameter, which makes sure that all the information in the boot sector, FAT, and root directory is overwritten. Note that FDISK's /MBR and FORMAT's /U parameters did not exist until MS-DOS 5.00 and above. Performing a simple FORMAT or a Quick Format without the recommended parameters will not remove a boot sector virus. Further, if your virus is an MBR or partition table infector, then even reformatting the disk with the special parameters will not work. Use FDISK or some other MBR repair program.

4. Use Symantec 's Norton Disk Doctor to rebuild a damaged disk.

I've had a lot of luck using Norton's Disk Doctor (http://www.symantec.com) to repair infected disk and diskettes that antivirus companies couldn't repair. Each version of Norton gets smarter and smarter about repairing virus damage. Try to back up the infected disk first before repairing. In a few cases, the fixed disk will be corrupted worse than the infected version.

Symantec's Norton Disk Doctor comes with two of their suite products: Norton Utilities and Norton SystemWorks .

5. Restore from a backup.

There are times when you cannot repair the damage or disinfect the file (e.g., overwrite the virus). Delete the infected files and restore them from a backup. If you have a well established and tested backup routine working, the ultimate threat of unrecoverable data damage is diminished. In some cases, I've even restored files from a backup that I knew were infected. They were infected, but in better shape than the files I was looking at after the virus payload went off. Have you backed up and tested your restore process lately?