Category :


Type :


Aliases :

ExeBug, ExeBug, Hooker, Int_0B, CMOS-1


ExeBug is an unusual boot sector virus. It spread typically by infecting the hard disk if the machine is tried to boot from a floppy, and after that infecting practically all floppies used in the machine.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The interesting point in ExeBug virus is that is circumvents booting from a clean diskette quite efficiently in certain machines.

The virus changes the computer's setup information in the CMOS memory so that the computer thinks it has no diskette drives. Thus the computer is always booted from the hard disk and so loads the virus lurking in the main boot record first into memory. The virus continues the booting routine from the A drive, if needed, to make the computer's functioning seem perfectly normal.

It is difficult to get to inspect an infected computer's hard disk without having the virus active in memory. First, the machines Setup information must be modified to show that the drive A: exist, then this information must be saved, and then the machine must be directly booted from a clean boot floppy. After this the hard drive will not be accessible, but F-Secure anti-virus products will clean up the hard disk when executed from a floppy.

Virus will also trojanize some EXE files by overwriting them with a short trojan horse, which will trash the hard disk when run.

F-Secure anti-virus products will detect the trojans created by ExeBug with the name "destroyed by ExeBug-virus".

There are several known variants of the virus - the most important difference between them is that Exebug.C activates on any day of March, overwriting part of the hard disk contents. ExeBug.Hooker occasionally overwrites EXE files with a trojan which displays text 'HOOKER'.

Note: When searching for ExeBug with F-PROT after a floppy boot, use the command F-PROT /HARD instead of using F-PROT C:, or just run F-PROT in interactive mode and scan 'Hard disk'. After F-PROT has disinfected the MBR, you will have to reboot the machine before you can access the hard drive.