Summary

ExeBug is an unusual boot sector virus. It spread typically by infecting the hard disk if the machine is tried to boot from a floppy, and after that infecting practically all floppies used in the machine.

Additional Details

The interesting point in ExeBug virus is that is circumvents booting from a clean diskette quite efficiently in certain machines.

The virus changes the computer's setup information in the CMOS memory so that the computer thinks it has no diskette drives. Thus the computer is always booted from the hard disk and so loads the virus lurking in the main boot record first into memory. The virus continues the booting routine from the A drive, if needed, to make the computer's functioning seem perfectly normal.

It is difficult to get to inspect an infected computer's hard disk without having the virus active in memory. First, the machines Setup information must be modified to show that the drive A: exist, then this information must be saved, and then the machine must be directly booted from a clean boot floppy. After this the hard drive will not be accessible, but F-Secure anti-virus products will clean up the hard disk when executed from a floppy.

Virus will also trojanize some EXE files by overwriting them with a short trojan horse, which will trash the hard disk when run.

F-Secure anti-virus products will detect the trojans created by ExeBug with the name "destroyed by ExeBug-virus".

There are several known variants of the virus - the most important difference between them is that Exebug.C activates on any day of March, overwriting part of the hard disk contents. ExeBug.Hooker occasionally overwrites EXE files with a trojan which displays text 'HOOKER'.

Note: When searching for ExeBug with F-PROT after a floppy boot, use the command F-PROT /HARD instead of using F-PROT C:, or just run F-PROT in interactive mode and scan 'Hard disk'. After F-PROT has disinfected the MBR, you will have to reboot the machine before you can access the hard drive.

[Analysis: Mikko Hypponen, F-Secure]