1. Field of the Invention
Aspects of the present invention relate to protection of a master boot record from computer viruses, and more particularly, to an apparatus for and a method of determining whether a master boot record stored in an alternate position is infected with a virus, and if infected, restoring the master boot record.
2. Description of the Related Art
Processes of a computer system begin to be executed once the computer is powered on. There are mainly two processes: Power-On Self-Test (POST) and Booting. The POST process is the diagnostic testing sequence that a computer's basic input/output system (BIOS) runs to determine if the computer keyboard, random access memory (RAM), disk drives, and other hardware are working correctly. The BIOS determines whether the system is initialized normally through the POST process. If the necessary hardware is detected and found to be operating properly, the computer begins to boot. If the hardware is not detected or is found not to be operating properly, the BIOS issues an error message on a display screen and a series of electronic beeps. An error found in the POST is usually fatal and will halt the booting process.
As the computer proceeds to the booting process, the computer reads out data stored in a master boot record (MBR) to begin the booting process. In the past, the MBR was stored in a hard disk or in a first sector (sector 1) of a diskette. The MBR is the information that identifies where an operating system is located in order to allow the operating system to be loaded into the computer's main storage. The MBR is also sometimes called a “partition sector” or a “master partition table” because the MBR includes information about a location of each partition of the hard disk. In addition, the MBR also includes a program that reads the boot sector record of the partition containing the operating system to be loaded into RAM. In turn, that record contains a program that loads the rest of the operating system into RAM.
However, cases where the MBR is not stored in the first sector of the hard disk or diskette have gradually increased. In some systems, the MBR is now located in spaces other than sector 1, and only the partition table is located in sector 1, whereby the system can execute other processes, excluding a proper booting process. The partition table can be located either in sector 1 or an alternate location.
For example, as check processes required to drive a computer are increasing, the computer maker (or vendor) independently sets the check processes or proper processes that should be executed before booting the computer, stores such processes in sector 1, and stores the MBR in a different sector. In addition, the user who purchases the computer can change the locations of the stored processes and MBR.
FIG. 1 illustrates a conventional MBR stored in a sector different from sector 1. A hard disk 310 is divided into sectors. Other data is stored in the first sector (sector 1). This other data may include items to be checked or processes to be set before booting. As shown in FIG. 1, the MBR is stored in sector 8 in order to execute the booting. Data stored in sector 1 is code to execute functions set previously by the computer maker before booting, and the code stored in sector 1 may be different for each computer manufacturer. That is, data to execute predetermined functions set by the computer manufacturer may be stored. After implementing the manufacturer peculiar functions, booting is executed by reading out the MBR. Initially, the computer reads out the first sector of the hard disk or diskette, in which data required for initialization of the system can be stored. In the past, the MBR was stored in the sector 1. But, recently data for other necessary processes for initialization and information on the sector where the MBR is stored is stored in the sector 1. As a result, the system jumps to the MBR-stored sector and executes the booting after initialization.
FIG. 2 illustrates a configuration of an MBR code. The MBR code searches for an active partition table, among partition tables, and jumps to a first portion of the concerned partition. Then, the central processing unit (CPU) executes functions by executing the code at the first portion of the concerned partition.
Conventional antivirus programs check the first sector in order to determine whether the computer is infected with a boot virus. If any virus-like code is found to exist in the first sector, the virus is treated. Accordingly, in the conventional system, it is sufficient to check if the MBR in the first sector has been modified since the MBR was stored. However, if the MBR resides in a different sector, a virus existing in the sector where the MBR is located may not be checked and treated since only the first sector is checked. Thus, when the MBR is stored in another sector, it may not be possible to find and remove the virus.
FIG. 3 illustrates checking and treating viruses according to a conventional method. First, the code of sector 1 is inspected at operation S1. When the code is MBR code, a virus check is conducted on the MBR code at operation S3. When the code is not MBR code, the virus check is terminated at operation S2. If a virus is found in the MBR code at operation S5, the virus is removed at operation S6. When there is no virus, the check is finished at operation S5. U.S. Patent Application Publication (USPAP)2002-0166059 discloses a method whereby an MBR is stored in a storage medium in order to protect boot sectors from a virus. A value of the MBR stored in the storage medium is compared with an MBR stored in a mass storage device, and when an error is detected, the MBR of the mass storage device is restored to the MBR of the storage medium. However, the method disclosed in is not directed to checking the MBR in a different position, and thus, the method disclosed in USPAP 2002-0166059 cannot detect a virus in the MBR when the MBR is in a different position.
Accordingly, a method for detecting and removing a virus from boot sector with respect to a computer whose MBR is not in the first sector is needed.