![]() |
![]() ![]() |
![]() |
This boot sector virus from Switzerland makes noises, like the Music Bug virus, and infects the DOS Boot Sectors of diskettes and hard disks, but there the similarity ends.
When the Form virus is executed, it reserves 2 kilobytes at the top of RAM and reads the second half of itself from disk. The virus does not retry the read operation if it gets a read error, but simply hangs the machine. This means that booting from an infected floppy may often result in the machine hanging, because a timeout error is somewhat likely at this point. The virus will then read the original boot sector and attempt to infect the hard disk.
The Form virus reads the Partition Table and locates the active DOS partition. It will then read the DOS Boot Sector of that partition and check whether it is already infected or whether the sector size is something other than 512 bytes. If it is a 512 byte sector, the original DOS Boot sector is written to the last sector of the partition and the second half of the virus is stored in the preceding sector. Finally the virus overwrites the first sector of the partition (i.e. the location of the original DOS Boot sector) with the first half of itself. As the sectors used by the virus are not allocated by the virus they have a chance of being overwritten, but this will only happen if the partition fills up completely.
After having infected the hard disk the virus hooks Int 13h, but if the current date is the 24th of any month, the virus also hooks Int 09h -- the keyboard interrupt. The new Int 09h handler produces a click whenever a key is pressed -- a harmless, but annoying effect.
The Form virus only intercepts requests to read from Track 0 on drives A: and B: -- in all other cases control is simply passed directly to the original Imt 13h handler. This will generally result in the infection of diskettes the first time that they are accessed.
Diskettes are infected in standard fashion. The virus attempts to infect all densities of diskettes as long as the sector size is a standard 512 bytes. As in the case of hard disk infections the virus starts by verifying that the sector size is 512 bytes and that the boot sector is not already infected. It then proceeds to locate an unused cluster, marking it as 'bad' in the FAT and moving the original boot sector there, as well as the second half of the virus code.
This is all quite ordinary boot sector virus activity -- indeed there is very little remarkable about the Form virus, except maybe the following text message which it contains:
The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne.
The simplest way to disinfect disskettes is to boot from a clean write-protected system diskette, transfer data or executables using the DOS COPY command and then format the diskette. It is essential that this process is done in a clean DOS environment. Do not use DISKCOPY as this is an image copier and will copy the infected diskette exactly and in its entirity -- including the virus in logical sector 0 of the diskette.
The Form virus can be removed from the active hard disk partition using a method similar to that used to remove Music Bug -- simply by locating the original boot sector and writing it back to its original location.
The FAT might need slight fixing to recover the lost clusters, but that is not strictly necessary and should only be done with virus removal tools which recognise the Form virus.
For any boot sector virus to spread and do damage it must first be executed. A machine will only become infected if you boot from an infected diskette. Remind all PC users never to leave diskettes in drives for longer than necessary.
ROM start-up code always tries to boot from the diskette drive in preference to the hard drive and if an infected diskette is present, the virus will be read into memory.
![]() |
![]() ![]() |
![]() |
![]() |
Virus Bulletin: Form / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |