Exebug
Exebug
Type Boot sector virus
Creator
Date Discovered 1992.09
Place of Origin South Africa
Source Language Assembly
Platform DOS
File Type(s)
Reported Costs

Exebug is a boot sector virus and the first virus capable of modifying the CMOS. It also trojanizes .exe files.

Behavior

When a disk infected with Exebug is booted, the virus installs itself in high memory just below the DOS 640k boundry. It moves the original hard drive boot sector to the last sector of Side 0, Cylinder 0, then replaces itself on that sector's original location.

The virus modifies the CMOS so the computer can no longer see disk drives other than the hard disk. It makes some effort to make the system look normal although it can be detected via the "chkdsk" utility whereupon an infected system will only show 654360 bytes of conventional memory (1024 bytes missing). The floppy drives are kept disabled long enough to ensure the system boots from the hard disk.

It infects floppy disks whenever they are accessed. On 360 kilobyte diskettes, it moves the original boot sector to Side 0, Track 40, Sector 1. For 1.2 megabyte floppies, it moves the sector to Side 0, Track 80, Sector 1.

The virus has stealth capabilities, as when a program tries to access the master boot record, the virus points the program to the original boot sector.

Origin

Exebug's country of origin is uncertain but very likely originated from the Pretoria, South Africa vicinity in 1992 according to Paul Ducklin from the CSIR. Mikko Hypponen of F-Secure also believes it comes from South Africa, while Patricia Hoffman of VSUM believes it could originate from Switzerland or Australia. Its possible Swiss origin is the reason it sometimes goes by the name Swiss Boot.

Sources

Mikko Hypponen. F-Secure Antivirus, F-Secure Virus Descriptions : ExeBug.

Patricia Hoffman. Online VSUM. Exebug Virus.

McAfee Antivirus, Exebug.

Securelist.com, Virus.Multi.ExeBug.a.

VIRUS-L Digest Newsletter, November 1992.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License