Threat Description

ExeBug

Details

Aliases:ExeBug, ExeBug, Hooker, Int_0B, CMOS-1
Category:Malware
Type:Virus
Platform: W32

Summary



ExeBug is an unusual boot sector virus. It spread typically by infecting the hard disk if the machine is tried to boot from a floppy, and after that infecting practically all floppies used in the machine.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The interesting point in ExeBug virus is that is circumvents booting from a clean diskette quite efficiently in certain machines.

The virus changes the computer's setup information in the CMOS memory so that the computer thinks it has no diskette drives. Thus the computer is always booted from the hard disk and so loads the virus lurking in the main boot record first into memory. The virus continues the booting routine from the A drive, if needed, to make the computer's functioning seem perfectly normal.

It is difficult to get to inspect an infected computer's hard disk without having the virus active in memory. First, the machines Setup information must be modified to show that the drive A: exist, then this information must be saved, and then the machine must be directly booted from a clean boot floppy. After this the hard drive will not be accessible, but F-Secure anti-virus products will clean up the hard disk when executed from a floppy.

Virus will also trojanize some EXE files by overwriting them with a short trojan horse, which will trash the hard disk when run.

F-Secure anti-virus products will detect the trojans created by ExeBug with the name "destroyed by ExeBug-virus".

There are several known variants of the virus - the most important difference between them is that Exebug.C activates on any day of March, overwriting part of the hard disk contents. ExeBug.Hooker occasionally overwrites EXE files with a trojan which displays text 'HOOKER'.

Note: When searching for ExeBug with F-PROT after a floppy boot, use the command F-PROT /HARD instead of using F-PROT C:, or just run F-PROT in interactive mode and scan 'Hard disk'. After F-PROT has disinfected the MBR, you will have to reboot the machine before you can access the hard drive.





Description Created: Mikko Hypponen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More