ExeBug is an unusual boot sector virus. It spread typically
by infecting the hard disk if the machine is tried to boot
from a floppy, and after that infecting practically all
floppies used in the machine.
The interesting point in ExeBug virus is that is circumvents
booting from a clean diskette quite efficiently in certain
The virus changes the computer's setup information in the CMOS
memory so that the computer thinks it has no diskette drives.
Thus the computer is always booted from the hard disk and so
loads the virus lurking in the main boot record first into
memory. The virus continues the booting routine from the A drive,
if needed, to make the computer's functioning seem perfectly
It is difficult to get to inspect an infected computer's hard
disk without having the virus active in memory. First, the machines
Setup information must be modified to show that the drive A: exist,
then this information must be saved, and then the machine must be
directly booted from a clean boot floppy. After this the hard
drive will not be accessible, but F-Secure anti-virus products
will clean up the hard disk when executed from a floppy.
Virus will also trojanize some EXE files by overwriting them with
a short trojan horse, which will trash the hard disk when run.
F-Secure anti-virus products will detect the trojans created by
ExeBug with the name "destroyed by ExeBug-virus".
There are several known variants of the virus - the most important
difference between them is that Exebug.C activates on any day of
March, overwriting part of the hard disk contents. ExeBug.Hooker
occasionally overwrites EXE files with a trojan which displays text
Note: When searching for ExeBug with F-PROT after a floppy boot,
use the command F-PROT /HARD instead of using F-PROT C:, or just
run F-PROT in interactive mode and scan 'Hard disk'. After F-PROT
has disinfected the MBR, you will have to reboot the machine before
you can access the hard drive.
[Analysis: Mikko Hypponen, F-Secure]