Threat description




ExeBug is an unusual boot sector virus. It spread typically by infecting the hard disk if the machine is tried to boot from a floppy, and after that infecting practically all floppies used in the machine.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The interesting point in ExeBug virus is that is circumvents booting from a clean diskette quite efficiently in certain machines.

The virus changes the computer's setup information in the CMOS memory so that the computer thinks it has no diskette drives. Thus the computer is always booted from the hard disk and so loads the virus lurking in the main boot record first into memory. The virus continues the booting routine from the A drive, if needed, to make the computer's functioning seem perfectly normal.

It is difficult to get to inspect an infected computer's hard disk without having the virus active in memory. First, the machines Setup information must be modified to show that the drive A: exist, then this information must be saved, and then the machine must be directly booted from a clean boot floppy. After this the hard drive will not be accessible, but F-Secure anti-virus products will clean up the hard disk when executed from a floppy.

Virus will also trojanize some EXE files by overwriting them with a short trojan horse, which will trash the hard disk when run.

F-Secure anti-virus products will detect the trojans created by ExeBug with the name "destroyed by ExeBug-virus".

There are several known variants of the virus - the most important difference between them is that Exebug.C activates on any day of March, overwriting part of the hard disk contents. ExeBug.Hooker occasionally overwrites EXE files with a trojan which displays text 'HOOKER'.

Note: When searching for ExeBug with F-PROT after a floppy boot, use the command F-PROT /HARD instead of using F-PROT C:, or just run F-PROT in interactive mode and scan 'Hard disk'. After F-PROT has disinfected the MBR, you will have to reboot the machine before you can access the hard drive.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info