search
close

BOOT_FORM.A

October 19, 2015
 Analysis by: RonJay Kristoffer Caragay
 ALIASES:

Virus:DOS/Form (Microsoft); Boot.Form.a (VBA32); Form (Sophos); Virus.Boot.Form.a (v) (Sunbelt); Form.A.Variant (Ikarus); Form (McAfee); Form.A (exact) (F-Prot); Virus.Boot.Form.a (Kaspersky); Form.A (BitDefender); Form.fam (Fortinet); Form (AVG)

 PLATFORM:

Windows, DOS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Copies itself in floppy drives


This is the Trend Micro detection for a system's infected Master Boot Record (MBR) modified by another malware.

  TECHNICAL DETAILS

File Size:

1,474,560 bytes

File Type:

DOS

Memory Resident:

Yes

Initial Samples Received Date:

18 Sep 2015

Arrival Details

This malware arrives via the following means:

  • Floppy disk drive
  • Modified by other malware

NOTES:

This malware contains data that writes into the Volume Boot Record (VBR). It does the said action to enable it to start even before the operating system is loaded.

It overwrites the VBR with the following strings:

The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne

It infects boot sectors of floppy disks and partition boot sector of hard disks. Infections occurs when a system is booted from an infected floppy disks.

The boot sequence does not need to be completed for the virus to infect. Once it resides in memory, it starts to infect any non-write protected diskettes accessed. It generates sounds on the infected machine when keys are pressed by a user.

  SOLUTION

Minimum Scan Engine:

9.750

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as BOOT_FORM.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Before performing any of the steps below, make sure that you have created a backup of your important data files as unforeseen errors may occur during the cleaning process and may damage your system.

Do not attempt to boot the system using an infected disk.

  1. Create a backup of your files stored in the infected floppy disk.
  2. Format all infected floppy disks to restore their boot sectors.


Did this description help? Tell us how we did.