System Sector Viruses

System sectors (Master Boot Record and DOS Boot Record) are often targets for viruses. These boot viruses use all of the common viral techniques to infect and hide themselves. While mostly obtained from an infected disk left in the drive when the computer starts, they can also be "dropped" by some file infectors.

System sectors are special areas on your disk containing programs that are executed when you boot (start) your PC. Every disk (even if it only contains data) has a system sector of some sort. Sectors are simply small areas on your disk that your hardware reads in single chunks. Under DOS, sectors are most commonly 512 bytes in length. System sectors are invisible to normal programs but are vital for correct operation of your PC. They are a common target for viruses. There are two types of system sectors found on DOS PCs:

DOS Boot Sectors (DBS)
Partition Sectors (often called Master Boot Record or MBR)

System sector viruses modify the program in either the DOS boot sector or the Master Boot Record. Since there isn't much room in the system sector (only 512 bytes), these viruses usually have to hide their code somewhere else on the disk. These viruses sometimes cause problems when this spot already contains data that is then overwritten.

Some viruses, such as the Pakistani Brain virus, mark the spot where they hide their code as bad. This is one reason to be suspicious if CHKDSK suddenly reports additional bad sectors on your disk and you don't know why (don't panic, bad sectors occur frequently for a wide variety of reasons). These viruses usually go resident in memory on your PC, and infect any floppy disk that you access. Simply doing a DIR on a floppy disk may cause it to be infected if one of these viruses is active in memory.

On Macintosh systems, some viruses will even infect a diskette immediately upon inserting a diskette into the floppy drive. (PCs running under DOS do not access a disk automatically.)

Since viruses are active in memory (resident), they can hide their presence. If Brain is active on your PC, and you use a sector editor to look at the boot sector of an infected diskette, the virus will intercept the attempt to read the infected boot sector and return instead a saved image of the original boot sector. You will see the normal boot sector instead of the infected version. Viruses that do this are known as stealth viruses.

In addition to infecting diskettes, some system sector viruses spread by also infecting files. Viruses of this type are called multipartite (multiple part) viruses. Since they can infect both files and system sectors they have more avenues to spread and are more difficult to remove. (Note: Some file viruses also infect system sectors to complete the circle.)


System sectors (MBR and DBS) are often targets for viruses.

Even data disks can be infected by these viruses.

System sector viruses spread easily via floppy disk infections and, in some cases, by cross infecting files which then drop system sector viruses when run on clean computers.