76 I was infected by both Stoned and Michelangelo. Why has my computer become unbootable? And why, each time I run my favorite scanner, does it find one of the viruses and say that it is removed, but when I run it again, it says that the virus is still there?
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
76 I was infected by both Stoned and Michelangelo. Why has my computer become unbootable? And why, each time I run my favorite scanner, does it find one of the viruses and say that it is removed, but when I run it again, it says that the virus is still there?
These two viruses store the original Master Boot Record at one and the
same place on the hard disk. They do not recognize each other, and
therefore a computer can become infected with both of them at the same
time.
The first of these viruses that infects the computer will overwrite the
Master Boot Record with its body and store the original MBR at a certain
place on the disk. So far, this is normal for a boot-record virus. But
if now the other virus infects the computer too, it will replace the MBR
(which now contains the virus that has come first) with its own body,
and store what it believes is the original MBR (but in fact is the body
of the first virus) *at the same place* on the hard disk, thus
*overwriting* the original MBR. When this happens, the contents of the
original MBR are lost. Therefore the disk becomes non-bootable.
When a virus removal program inspects such a hard disk, it will see the
*second* virus in the MBR and will try to remove it by overwriting it
with the contents of the sector where this virus normally stores the
original MBR. However, now this sector contains the body of the *first*
virus. Therefore, the virus removal program will install the first
virus in trying to remove the second. In all probability it will not
wipe out the sector where the (infected) MBR has been stored.
When the program is run again, it will find the *first* virus in the
MBR. By trying to remove it, the program will get the contents of the
sector where this virus normally stores the original MBR, and will move
it over the current (infected) MBR. Unfortunately, this sector still
contains the body of the *first* virus. Therefore, the body of this
virus will be re-installed over the MBR ad infinitum.
There is no easy solution to this problem, since the contents of the
original MBR are lost. The only solution for the antivirus program is
to detect that there is a problem, and to overwrite the contents of the
MBR with a valid MBR program, which the antivirus program has to provide
itself. If your favorite antivirus program is not that smart, consider
replacing it with a better one, or try using the boot sector
disinfection procedure described elsewhere (see C3).
In general, infection of the same file or area by multiple viruses is
possible and vital areas of the original may be lost. This can make it
difficult or impossible for virus disinfection tools to be effective,
and replacement of the lost file/area will be necessary.
Continue to:
My Books
