Exebug | |
---|---|
Type | Boot sector virus |
Creator | |
Date Discovered | 1992.09 |
Place of Origin | South Africa |
Source Language | Assembly |
Platform | DOS |
File Type(s) | |
Reported Costs |
Exebug is a boot sector virus and the first virus capable of modifying the CMOS. It also trojanizes .exe files.
Behavior
When a disk infected with Exebug is booted, the virus installs itself in high memory just below the DOS 640k boundry. It moves the original hard drive boot sector to the last sector of Side 0, Cylinder 0, then replaces itself on that sector's original location.
The virus modifies the CMOS so the computer can no longer see disk drives other than the hard disk. It makes some effort to make the system look normal although it can be detected via the "chkdsk" utility whereupon an infected system will only show 654360 bytes of conventional memory (1024 bytes missing). The floppy drives are kept disabled long enough to ensure the system boots from the hard disk.
It infects floppy disks whenever they are accessed. On 360 kilobyte diskettes, it moves the original boot sector to Side 0, Track 40, Sector 1. For 1.2 megabyte floppies, it moves the sector to Side 0, Track 80, Sector 1.
The virus has stealth capabilities, as when a program tries to access the master boot record, the virus points the program to the original boot sector.
Origin
Exebug's country of origin is uncertain but very likely originated from the Pretoria, South Africa vicinity in 1992 according to Paul Ducklin from the CSIR. Mikko Hypponen of F-Secure also believes it comes from South Africa, while Patricia Hoffman of VSUM believes it could originate from Switzerland or Australia. Its possible Swiss origin is the reason it sometimes goes by the name Swiss Boot.
Sources
Mikko Hypponen. F-Secure Antivirus, F-Secure Virus Descriptions : ExeBug.
Patricia Hoffman. Online VSUM. Exebug Virus.
McAfee Antivirus, Exebug.
Securelist.com, Virus.Multi.ExeBug.a.
VIRUS-L Digest Newsletter, November 1992.