Norton AntiVirus 

What is the Form Virus?

The Form virus is considered a BOOT SECTOR virus because the FORM virus will
infect the Boot Sector of your hard drive.  When The FORM virus infects the
Boot Sector and moves this sector to another location on your hard drive.
The data that was at this  location is now overwritten with the boot sector
information.  The FORM virus activates on different days of the month, the
18th and the 24th days are the most common, depending on the strain of the
FORM virus.  If you start your computer on one of these days the virus may
start making a clicking noise from the computer speaker, but not always.
In all cases though, the virus will move the BOOT SECTOR of your hard drive
to another location.  Because of this, if you do not repair the FORM virus
completely your hard drive will become corrupted or fragmented.

How does the Form Virus Spread?

All floppies have a boot sector, even if they are non system (bootable)
diskettes.  Anytime you try to start or reset your computer with a system
(bootable) or non-system (non-bootable) diskette, the computer will read
the boot sector of the diskette.  Since the FORM virus is contained in the
boot sector, the virus will activate, move into memory and then infect your
hard drive.  You will not see this activity at all, this happens so quickly
that all you will get is either an error message such as non-system disk or
disk error or the computer system will boot up to the A: Drive.  Regardless,
if you attempt to boot from an infected diskette your hard drive is now
infected with the Form virus. 

Now that your hard drive is infected, every time you boot your system you
will activate the virus into memory. The virus will check the date first and
then sit in memory waiting for you to access a floppy.  For every floppy
you access, the virus will contaminate the floppy boot record.  You can now
see how easy it is to pass a virus from one system to another.

How to repair the Hard Drive if it is Infected with the Form Virus:

First power off the system, and then reboot from drive A: with a
write-protected system (bootable) diskette that has the same version of DOS
that is install on the hard drive.

You can use one of the following repair procedures:

1.     Boot from a RESCUE diskette created with NAV 3.0, as long as it was
       created before the hard drive was infected.

       Once booted up from the Rescue diskette on drive A:. Type RESCUE and
       press Enter.

       Select Restore  and choose both the Boot Record and Partition Table
       Information and press Enter.

2.	Boot from a non-infected MSDOS system (bootable) diskette on drive A:

        Run the Norton AntiVirus DOS Clinic from either the original
        installation diskettes or from your hard drive.

 	Select all Local Hard Drive and press Enter.

 	Once the Form virus is detected (but not in memory), choose Repair
        option and press Enter. If the Form virus is detected in memory,
        than the system (bootable) diskette is also infected.

3.	Boot from a non-infected MSDOS system (bootable) diskette on drive A:.
        If you can find SYS.COM on one of the MS-DOS diskette, you can run
        the SYS command. Type SYS C: and press Enter.
	
Note:  Since the only way this hard drive could be infected with the Form
       virus was through an infected diskette.  You must scan all your
       diskettes for the Form virus.

If Floppy Diskette is Infected with the Form Virus:

Make sure you do not try and reboot with this diskette, if you do, you will
infect your hard drive.

If Norton AntiVirus does not repair this virus it because either you do not
have Norton AntiVirus 3.0 and or you do not have the latest definitions files
for your version of  Norton AntiVirus.  If this is the case you can always
reformat you diskette that is infected with the Form virus.

Another way of repairing the FORM virus from your floppy diskette is to
overwrite the BOOT SECTOR of the floppy diskette.  You can do this by using
the SYS.COM command from the DOS directory.  Type SYS A: and press enter.

Note:  There are about 5 different strains of the FORM Virus. It is always
wise to have the latest version of NAV and the latest definitions for your
version.

Virus Library Description Information
Virus Information:
Virus Names and Aliases:  The most common names by which the virus is known.
Infects: Defines where the virus attacks or infects
         (Boot Records or File Infector).
Likelihood: Options are: Common and Rare.
Length: Length, in bytes, of the virus code.

Characteristics:
Memory Resident: Stays in memory after it activates.
Size Stealth: Tries to conceal itself from detection by disguising its size.
Full Stealth: Tries to conceal itself from detection by disguising its
              size and attributes.
Triggered Event: Performs some action based on certain criteria
     (for example a date on the computer's system clock).
Encrypting: Encrypts its code to make detection more difficult.
Polymorphic: Appears differently in each infected file.

Virus Name:   Form
Aliases:      
Infects:      Floppy and Hard Disk Boot Records
Likelihood:   Common
Length:       512 bytes

Characteristics
Memory Resident
Yes
Triggered Event
Yes

Size Stealth
No
Encrypting
No

Full Stealth
No
Polymorphic
No


Comments:
On a given day of any month, the virus causes a clicking sound when keys are
pressed.  On hard disks, the original boot sector is on the last sector of
the infected hard drive and may be overwritten.

Virus Name:   FORM.E
Aliases:      Form II, Stir
Infects:      Floppy and Hard Disk Boot Records
Likelihood:   Rare
Length:       512 bytes

Characteristics
Memory Resident
Yes
Triggered Event
Yes

Size Stealth
No
Encrypting
No

Full Stealth
No
Polymorphic
No



Comments:  This Form virus variant contains the text "STIR!".


