Form (computer virus)
| shape | |
|---|---|
| Surname | shape |
| Known since | 1990 |
| First location | Switzerland |
| Virus type | Boot sector virus |
| Authors | unknown |
| File size | 512 KB |
| Host files | Boot sector, master boot record |
| Polymorph | No |
| Stealth | No |
| Memory resident | Yes |
| system | MS-DOS |
Form is the name of a group of boot sector viruses for MS-DOS computers. It is believed that the original virus originated in the canton of Zug in Switzerland .
The FORM.A virus was one of the most common computer viruses worldwide for years in the early 1990s .
Variants and derivatives
Due to the popularity and high distribution of the virus, there are several known variants. The following versions are known as in-the-wild viruses:
- FORM.A or mostly just FORM : Probably the first and by far the most common version.
- FORM.B : A virus derivative that was also common at the beginning of the 1990s, in which the payload is always activated on the 24th (instead of the 18th) of each month. From the mid-1990s, hardly any infections were reported.
- FORM.C : The keyboard click occurs only in May. FORM.C was a rather rare virus
- FORM.D : The virus code is stored directly behind the partition table . This version is the most common after the original. Infections were reported regularly until 1998.
- FORM-II and FORM-Canada are documented variants about which no details are known.
function
The Form Virus is a boot virus that spreads via floppy disks . As soon as an infected floppy disk is inserted into a computer and booted from it, the virus installs itself into the main memory. 2 KB are reserved by the DOS memory. The boot sector of the hard disk is then infected, with the original content being written to the last two sectors. As a result, the virus is reactivated immediately every time the computer is restarted. From then on, every addressed, non-write-protected floppy disk is infected and the original boot sector is overwritten.
Every 18th day of the month, the virus presents itself in the form of click tones with every keystroke.
The program code also contains the following text:
The FORM Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne.
- Translation: The FORM Virus greets everyone who reads this text. FORM does not destroy any data! No panic! Fuck you, Corinne.
Detection and elimination
- Since floppy disks are rarely needed these days, the virus is virtually extinct.
- Modern BIOS versions are also equipped with protection against overwriting the hard disk MBR.
- Antivirus programs have been detecting the virus since the early 1990s.
Individual evidence