home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.sys.ibm.pc.misc
- Path: sparky!uunet!spool.mu.edu!umn.edu!csus.edu!netcom.com!mcafee
- From: mcafee@netcom.com (McAfee Associates)
- Subject: Re: "FORM" Virus
- Message-ID: <1992Nov22.072835.20368@netcom.com>
- Followup-To: poster
- Summary: Short description of FORM virus
- Sender: Aryeh Goretsky
- Organization: McAfee Associates
- References: <coiLuB1w165w@student.business.uwo.ca>
- Date: Sun, 22 Nov 1992 07:28:35 GMT
- Lines: 65
-
- Hello Michael Tanglao,
-
-
- In article <coiLuB1w165w@student.business.uwo.ca> m4tangla@student.business.uwo.ca (Michael Tanglao) writes:
- >I am currently having problems getting rid of the "FORM" virus from our LAN
- >sys. Does anyone know anything about this virus? Norton Anti-Virus does not
- >seem to eliminate it, although F-prot does. I am using F-prot on all the
- >stations, so I thought I had taken care of it. Unfortunately, some bizarre
- >disk errors have occurred recently.
- >
- >Does anyone know anything about what this virus does? Are there Norton virus
- >definitions available for it?
-
- The FORM virus is a floppy disk and hard disk boot sector infector, that is,
- it relocates the DOS Boot Sector to another location on the disk and copies
- itself into the original location so the next time that disk is booted from
- the virus is loaded into memory. Once resident in memory, the virus monitors
- the system for other disks to infect. When a disk is accessed, the virus
- checks to see if it is infected and if not, places a copy of itself onto the
- disk.
-
- The virus activates on the 18th or the 24th of the month, depending on which
- variant you have. At that time, the virus will make a click sound over the
- speaker whenever a key is pressed on the keyboard.
-
- The FORM virus is too large to fit into one sector, so it stores the original
- boot sector along with the rest of its code at the end of infected disks (I
- don't recall the exact location) in several sectors marked as bad.
-
- The fastest way to remove the virus is to boot infected PC's from an original
- DOS boot disk (the DOS Install disk that comes with most PC's is great).
- After booting, using the DOS "SYS" command to transfer a new boot sector from
- the floppy diskette to the hard disk. You can also use the SYS command to
- remove the virus from any bootable floppies, or copy the files off the
- infected diskettes, reformat, and reload the programs to them. After
- removal, run CHKDSK to recover the bad clusters created by the virus and
- delete them.
-
- Alternatively, you may want to try using a different anti-viral program.
- Several public domain and shareware anti-viral programs are available by
- anonymous ftp from the WSMR-SIMTEL20.Army.Mil archives or any of its
- mirror sites (North American mirrors include wuarchive.wustl.edu and
- oak.oakland.edu, if recall correctly).
-
- Regards,
-
- Aryeh Goretsky
- McAfee Associates Technical Support
-
- >
- >Please send all replies to lawphf@ccs.cc1.uwo.ca.
- >Thanks.
- >
- >m4tangla@student.business.uwo.ca (Michael Tanglao)
- >Western Business School -- London, Ontario
-
-
- --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET:
- 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM
- Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
- 95054-3107 USA | USR HST Courier DS | or GO MCAFEE
- Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR
-
-
