Virus Profile: FORM

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/1/0001
Date Added: 6/15/1990
Origin: Switzerland
Length: 512 Bytes
Type: Virus
Subtype: Boot
DAT Required: 4002
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

One indication of the Form virus is a clicking noise produced when any key on the keyboard is pressed on the 18th day of any month. Please note that if a keyboard driver is used, the clicking noise is undetectable.

Another symptom of infection is that your system will hang on a failed disk read.

Form consumes 2k of memory. The DOS MEM command will report 2k less memory. On a floppy diskette, CHKDSK reports 1,024 bytes of bad sectors. In the binary code of the virus, there is a message which identifies the virus, states that it does not destroy data and an expletive to Corrine. The message follows:

"The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! (Expletive) go to Corinne."

This message is not displayed, but can be found using a disk editor.

Methods of Infection

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.


Form Boot, FORM-18

Virus Characteristics

Form is a Boot Sector, memory resident virus. The Form virus inhabits both a portion of high DOS memory and also the last two sectors on the hard drive. The virus does not infect files. Usually there is no damage done to data on the hard drive. However, it may corrupt the contents of infected diskettes.

On the hard drive, Form moves the original boot sector and a portion of itself and stores it in the last two sectors of the infected hard drive. If these sectors are overwritten by data at a later date, the system may hang during the boot-up process. However, you may still access the drive.

Form creates bad sectors on floppy diskettes. The virus is stored in the second sector of the diskette, and relocates the original data into the unused section of the File Allocation Table (FAT). The area of the FAT where the code is stored is marked as bad, so that the information will be preserved and remain undamaged.

Additional Comments:
The FORM-Virus, or Form Boot, is a memory resident infector of floppy and hard disk boot sectors. It was originally isolated in Switzerland. When a system is first booted with a diskette infected with the FORM-Virus, the virus will infect system memory as well as seek out and infect the system's hard disk. The floppy boot may or may not be successful, on the author's test system, a boot from floppy diskette infected with FORM-Virus never succeeded, instead the system would hang. It should be noted that the virus was received by the author of this document as a binary file, and it may have been damaged in some way. The following text message is contained in the FORM-Virus binary code as received by the author of this document: "The FORM-Virus sends greetings to everyone who's reading this text.FORM doesn't destroy data! Don't panic! Fu--ings go to Corinne." These messages, however, may not appear in all cases. For example, I did not find these messages anywhere on a hard disk infected with Form Boot. Systems infected with the FORM-Virus in memory may notice that a clicking noise may be emitted from the system speaker on the 24th day of any month. This virus can be removed with the same technique as used with many boot sector infectors. First, power off the system and then boot from a known clean write-protected boot diskette. The DOS SYS command can then be used to recreate the boot sector. Alternately, MDisk from McAfee Associates may be used to recreate the boot sector. Known variant(s) of the FORM-Virus are:


Variants information
Virus Name Type Subtype Differences
FormII Virus Boot
FORM-Canada Virus Boot
Form.A Virus Boot
Form.B Virus Boot
Form.D Virus Boot

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!