Frisk Software International - Technical note #9


                         The ExeBug problem

The ExeBug virus is particularly difficult do disinfect in some cases, because
of a trick it plays with the CMOS.   What the virus does is to change the CMOS
to indicate that the machine does not have a floppy drive.  Then, before
every floppy access it toggles the relevant bits.

This means that if you turn the machine off, and back on, it will probably
be in the state where it does not appear to have any floppy drives.

On some machines, this means the the computer will then boot from the hard
disk, loading the virus, which will then load the boot sector from the floppy
drive and execute that.

The result is that booting the machine from a "clean" diskette is quite
difficult - the virus automatically becomes active.

The solution is as follows:

   Enter setup mode, (either by running a SETUP program, or by pressing
   the relevant keys during boot-up...depending on the system.

   The CMOS will probably show that no floppies are present.  Fix that,
   save the changes, and turn the machine off.

   Turn it back on, boot from a "clean" diskette, and verify that the CMOS
   information is correct.

If the virus is a known ExeBug variant, you can now use F-PROT /HARD /DISINF
to remove it.  You may not be able to access the partitions on the hard
disk - that is normal - they will re-appear the next time you boot the machine.

If this is a new ExeBug variant, which cannot be removed with F-PROT, we
would of course appreciate a sample,  but in order to remove it you should
be able to use the Norton Disk Doctor.

