Virus Name: Exebug
Aliases: Swiss Boot
V Status: Common
Discovered: October, 1992
Symptoms: BSC; Master boot sector corruption; decrease in total system
& available free memory; inability to access drive C: after
Eff Length: N/A
Type Code: BRtX - Resident Boot Sector & Master Boot Sector Infector
Detection Method: ViruScan, AVTK, IBMAV, F-Prot, Sweep, NAV,
NAVDX, VAlert, PCScan, ChAV
Removal Instructions: Norton Disk Doctor on Hard disk
The Exebug, or Swiss Boot, virus was submitted in October, 1992.
It is believed to be from Switzerland, though it has also been
reported from Australia as well. Exebug is a memory resident
infector of diskette boot sectors and the hard disk master boot
sector (partition table). It uses stealth techniques to avoid
detection on both the system hard disk and diskettes.
The first time the system is booted from an Exebug infected diskette,
the Exebug virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary, moving interrupt 12's
return. Total system and available free memory will have decreased
by 1,024 bytes. Also at this time, the virus will infect the
system hard disk's master boot sector. The original master boot
sector will be moved to the last sector of Side 0, Cylinder 0 of the
hard disk. The virus then overwrites Side 0, Cylinder 0, Sector 1
which was the original location of the master boot sector.
Once the Exebug virus is memory resident, it will infect diskette
boot sectors on non-write protected diskettes when the diskette
is accessed for any reason. On 360K 5.25" diskettes, the original
boot sector will be moved to Side 0, Track 40, Sector 1. On 1.2M
5.25" diskettes, the original boot sector will be moved to Side 0,
Track 80, Sector 1.
The Exebug virus uses stealth techniques to avoid detection by
anti-viral software. When a program attempts to access either the
hard disk master boot sector or a diskette boot sector with the virus
memory resident, the virus will present the user with the original
uninfected master boot sector or boot sector.
When the system hard disk is infected with Exebug, attempts to
access the drive after booting from a write-protected, uninfected
DOS system diskette will result in the drive being inaccessible.
The user will receive the message "Invalid drive specification" due
to the virus having overwritten the last 2 bytes of the original
master boot sector location. Norton Disk Doctor can successfully
resolve this problem, rendering the hard disk accessible again.