Capturing Boot Sector, File-Infecting, And Macro Viruses - McAfee VIRUSSCAN 5.1 User Manual

Capturing boot sector, file-infecting, and macro viruses

If you suspect you have a virus infection, you can collect a sample of the virus,
then either create a floppy disk image to send via e-mail, or mail the floppy
disk itself to McAfee VirusScan anti-virus researchers. The researchers would
also benefit from having samples of your current system files on a separate
floppy disk.
Capturing boot-sector infections
Boot-sector viruses frequently hide in areas of your hard disk or floppy disks
that you ordinarily cannot see or read. You can, however, capture a sample of
a boot-sector virus by deliberately infecting a floppy disk with it.
To do so, follow these steps:
1. Insert a new, unformatted floppy disk into your floppy drive.
2. Click Start in the Windows taskbar, point to Programs, then choose
3. Type this line at the command prompt:
4. Insert a new, formatted floppy disk into your floppy drive.
5. Copy your current system files to that disk. For most DOS versions, those
6. Label the diskette "Contains infected files," then set it aside.
MS-DOS Prompt if your computer runs Windows 95 or Windows 98, or
Command Prompt if your computer runs Windows NT Workstation
v4.0 or Windows 2000 Professional.
format a: /s
If your system hangs as it tries to format the disk, remove the disk from
your floppy drive. Next, label the disk "Damaged during infected format
as boot disk," then set it aside.
files will include:
• IO.SYS
• MSDOS.SYS
• COMMAND.COM
For Windows systems, copy these files to the same preformatted disk:
• GDI.EXE
• KRNL286.EXE or KRNL386.EXE
• PROGMAN.EXE
Removing Infections From Your System
User's Guide 75