Exebug Virus


 Virus Name:  Exebug 
 Aliases:     Swiss Boot 
 V Status:    Common 
 Discovered:  October, 1992 
 Symptoms:    BSC; Master boot sector corruption; decrease in total system 
              & available free memory; inability to access drive C: after 
              diskette boot 
 Origin:      Switzerland 
 Eff Length:  N/A 
 Type Code:   BRtX - Resident Boot Sector & Master Boot Sector Infector 
 Detection Method:  ViruScan, AVTK, IBMAV, F-Prot, Sweep, NAV, 
                    NAVDX, VAlert, PCScan, ChAV 
 Removal Instructions:  Norton Disk Doctor on Hard disk 
 
 General Comments: 
       The Exebug, or Swiss Boot, virus was submitted in October, 1992. 
       It is believed to be from Switzerland, though it has also been 
       reported from Australia as well.  Exebug is a memory resident 
       infector of diskette boot sectors and the hard disk master boot 
       sector (partition table).  It uses stealth techniques to avoid 
       detection on both the system hard disk and diskettes. 
 
       The first time the system is booted from an Exebug infected diskette, 
       the Exebug virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary, moving interrupt 12's 
       return.  Total system and available free memory will have decreased 
       by 1,024 bytes.  Also at this time, the virus will infect the 
       system hard disk's master boot sector.  The original master boot 
       sector will be moved to the last sector of Side 0, Cylinder 0 of the 
       hard disk.  The virus then overwrites Side 0, Cylinder 0, Sector 1 
       which was the original location of the master boot sector. 
 
       Once the Exebug virus is memory resident, it will infect diskette 
       boot sectors on non-write protected diskettes when the diskette 
       is accessed for any reason.  On 360K 5.25" diskettes, the original 
       boot sector will be moved to Side 0, Track 40, Sector 1.  On 1.2M 
       5.25" diskettes, the original boot sector will be moved to Side 0, 
       Track 80, Sector 1. 
 
       The Exebug virus uses stealth techniques to avoid detection by 
       anti-viral software.  When a program attempts to access either the 
       hard disk master boot sector or a diskette boot sector with the virus 
       memory resident, the virus will present the user with the original 
       uninfected master boot sector or boot sector. 
 
       When the system hard disk is infected with Exebug, attempts to 
       access the drive after booting from a write-protected, uninfected 
       DOS system diskette will result in the drive being inaccessible. 
       The user will receive the message "Invalid drive specification" due 
       to the virus having overwritten the last 2 bytes of the original 
       master boot sector location.  Norton Disk Doctor can successfully 
       resolve this problem, rendering the hard disk accessible again.

Show viruses from discovered during that infect .

Main Page