Saturday, August 28, 2021

Recover boot sector from floppy disks with Parity Boot Virus

I recently found some old floppies, back from the times when I was young, was using Microsoft DOS and didn’t have any real clue about computers. As a result, almost all of my floppy disks were infected with the Parity Boot Virus.

The Parity Boot Virus had the habit of overwriting the complete boot sector, i.e. the first sector of the floppy disk (if it wasn’t write protected at least). BUT it was also fair enough to create a backup copy of the boot sector and - on 3,5′’ floppy disks - put it into sector 32. See the Parity Boot Virus page on the Malware Wiki for more information.

25 years later I wanted to mount one of my floppy disk images I had backed up back then on my Linux machine and was surprised to see a lot garbage files like |úI|ë?K|.╕ - certainly not a valid file name. It turned out that sector 32 is the last sector to contain the root directory¹. And it also turned out that Linux reads all clusters and scans them for directory entries, while Windows seems to stop earlier, probably as soon as it encounters an empty file entry.

So how can you restore the original boot sector and get a clean root directory again? Simple, just call

dd if=$file count=1 skip=31 of=$file conv=notrunc seek=0
dd if=/dev/zero count=1 of=$file conv=notrunc seek=31

myfloppy can either be a physical floppy drive (e.g. /dev/fd0) or the file name of an image.

Please just make sure that sector 32 really does contain a valid boot sector - you can view the disk’s contents with hexdump -C myfloppy, check the contents between 00003e00 - 00004000. It should at least contain the label and the file system (e.g. NO NAME FAT12 in lines 3 and 4.

¹ usually, on a 3,5′’ HD floppy disk at least - see this website for an excellent disassembly of the FAT12 file system (German) and this Wikipedia article about the actual default sector size for the directory on a given floppy type if you want to know more.