%%File: VIRS0382.TXT %%Name/Aliases: Form, Form Boot, FORM-Virus, Forms %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sector., Hard disk boot sector., Bad blocks., Or at end of physical drive in unused sectors. %%Features: Memory resident; TSR above TOM. %%Damage: Corrupts a program or overlay files., Deletes or moves files. %%Size: Overlays boot sector, no increase %%See Also: %%Notes: A boot sector virus that randomly destroys files. Dual acting; Attempts to infect the hard disk at boot time. Attempts to infect a floppy whenever the floppy is read. Does not infect the Master Boot Record (Partition table), but the boot record of the first logical drive (C:). It is also marks a cluster as bad, and stores the rest of the virus there. On the hard disk, if there are some left over sectors at the end of the physical drive that are not part of a cluster (not enough sectors to fill a cluster). The virus hides there. In memory, the virus goes resident and moves down the TOM by 2K. (wjo 11/94) The command FDISK/MBR is ineffective against FORM because it is not in the MBR (v5-190) Versions of FPROT prior to 2.06a can't remove the virus. The SYS command removes the virus by rewriting the disks boot sector. It does not remove the part stored in the bad sector or at the end of the drive, but that part won't hurt anything without the part in the boot sector. The virus makes the keys click and delays key action slightly. The keys don't start clicking as soon as the machine is infected. The boot sector will contain the following text(amongst others): "The FORM-Virus sends greetings to everyone who's read this text.". To remove it, boot from a clean disk and rewrite the boot sectors of an infected disk with the SYS command. Repeat for all infected disks. May have been on demo diskette of Clipper product. (virus-l V4-213) (Dave Chess, V6-106): There are some viruses that will infect whatever partition is currently marked bootable, regardless of whether or not it's a DOS partition. The FORM virus is particularly inept in this regard: it will infect whatever's marked bootable, and it will assume that the partition it's infecting is a FAT-formatted partition for purposes of finding unused space to hide itself. This can wreak havoc when the bootable partition is actually BootManager or HPFS, for instance.