F-Secure Virus Descriptions : Form
This is a non-remarkable virus from Switzerland, but it is very common.
Form is able to infect
hard disks as well as floppies, and stores the rest of itself, as well as
the original boot sector on the last track of the hard disk, or in
clusters marked as "bad" on a diskette. It contains the following text:
The FORM-Virus sends greetings to everyone who's reading this text.
FORM doesn't destroy data! Don't panic! Fuckings go to Corinne.
Unlike most other boot sector viruses, Form infects the DOS boot sector
on hard drives instead of the Master Boot Record.
Form is only able to infect a hard disk when you try to boot the machine
from an infected diskette. At this time Form infects boot sector, and
after that it will go resident to high DOS memory during every boot-up
from the hard disk. Once Form gets resident to memory, it will infect
practicly all non-writeprotected diskettes used in the machine. Form
will create bad sectors on disks it infects.
Form activates on the 18th of any month; on that day it will cause
a 'click' from the PC speaker every time a key is pressed. On most
machines this activation routine will not be heard, because the
routine will fail if a keyboard driver (typically keyb.com) is
loaded.
Form is one of the most widespread viruses in existance.
Note: If you have Form on a NTFS partition under NT, you need to
repair the boot sector with a separate utility. A free program called
BOOTPART can do this easily with this command:
BOOTPART WINNT BOOT:C:
BOOTPART can be downloaded from
ftp://ftp.F-Secure.com/misc/anti-vir/bootpa20.zip
This is a pretty common minor variant of Form with no changes in
the functionality.
[Analysis: Mikko Hypponen, F-Secure]
|
