FORM-Virus Virus


 Virus Name:  FORM-Virus 
 Aliases:     Form, Form Boot, FORM-18 
 V Status:    Common 
 Discovered:  June 1990 
 Symptoms:    BSC; clicking noise from system speaker 
 Origin:      Switzerland 
 Eff Length:  N/A 
 Type Code:   BR - Resident Boot Sector Infector 
 Detection Method:  ViruScan, F-Prot, NAV, Sweep, AVTK, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV 
 Removal Instructions:  MDisk, NAV, or DOS SYS command 
 
 General Comments: 
       The FORM-Virus, or Form Boot, is a memory resident infector of 
       floppy and hard disk boot sectors.  It was originally isolated in 
       Switzerland. 
 
       When a system is first booted with a diskette infected with the 
       FORM-Virus, the virus will infect system memory as well as seek out 
       and infect the system's hard disk.  The floppy boot may or may not 
       be successful, on the author's test system, a boot from floppy 
       diskette infected with FORM-Virus never succeeded, instead the system 
       would hang.  It should be noted that the virus was received by the 
       author of this document as a binary file, and it may have been 
       damaged in some way. 
 
       The following text message is contained in the FORM-Virus 
       binary code as received by the author of this document: 
 
            "The FORM-Virus sends greetings to everyone who's reading 
             this text.FORM doesn't destroy data! Don't panic! Fuckings 
             go to Corinne." 
 
       These messages, however, may not appear in all cases.  For example, 
       I did not find these messages anywhere on a hard disk infected with 
       Form Boot. 
 
       Systems infected with the FORM-Virus in memory may notice that a 
       clicking noise may be emitted from the system speaker on the 24th 
       day of any month. 
 
       This virus can be removed with the same technique as used with many 
       boot sector infectors.  First, power off the system and then boot 
       from a known clean write-protected boot diskette.  The DOS SYS 
       command can then be used to recreate the boot sector.  Alternately, 
       MDisk from McAfee Associates may be used to recreate the boot sector. 
 
       Known variant(s) of the FORM-Virus are: 
       Form II: Based on FORM-18, this variant was submitted in May 
                1992 from an unknown origin.  It is functionally equivalent 
                to FORM-18, though altered to avoid detection by most anti- 
                viral utilities. 
                Origin:  Unknown  May, 1992. 
       FORM-18: Similar to the FORM-Virus, FORM-18 activates on the 18th 
                day of the month, at which time clicking will be heard from 
                the system speaker on systems which have a system clock and 
                CMOS.  Systems without a system clock will most likely not 
                have the clicking occur. 
       FORM-Canada: Similar to the FORM-18 variant, this variant is 
                a minor alteration.  On diskettes, it locates the 
                remainder of the viral code and original boot sector in 
                the first two available, unused sectors on the diskette, 
                marking them as bad sectors. 
                Origin:  Canada  August, 1992. 
       Form.C: Received in February, 1998, this is another minor 
                variant of the FORM-Virus.  It contains the same text 
                as the original virus. 
                Origin:  Unknown  February, 1998.

Show viruses from discovered during that infect .

Main Page