| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | DBR (Floppy)- infector, DBR - infector |
| Length: | 2 kilobyte(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | |
| Computer model(s): | PC's |
| Caroname: | Form |
Attributes | |
| Easy identification: | |
Type of Infection: | Virus stored in bad cluster. Selfrec in memory: None Selfrec on disk: (D,F)BR[3Fh..40h] = 01h FEh |
| Infection Technique: | |
| Infection Trigger: | Int13INFECTION_CRIT: |
| Storage Media affected: | Disketts, Harddisks |
| Interrupts hooked: | 13h/02h, 09h (transient damage) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: Clicking noise on key make and break (INT 09h) Permanent: None |
| Damage Trigger: | Transient: DayOfMonth = 18 Permanent: n/a |
| Particularities: | None Displayed text: None Not displayed text: "The FORM-Virus sends greetings to everyone who'sreading this text.FORM doesn't destroy data! Don'tpanic! Fuckings go to Corinne." Very common in Europe -- Form got lucky.The virus infects the boot sector of the hard drive'sbootable partition, which it determines by scanning thepartition table. It assumes this bootable partition isa DOS drive, and searches for unused space in theDOS FAT, marking it bad and using it. If it isn't a DOSdrive, then what it believes to be the FAT could beanything; the place it selects for its hiding placecould be anywhere. This is an especial problem formachines which are routinely booted from floppy inorder to access a small DOS partition of secondaryimportance, such as OS/2 or Unix. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg