| Form | |
|---|---|
| Type | Boot sector virus |
| Creator | |
| Date Discovered | 1990.02 |
| Place of Origin | Zurich, Switzerland |
| Source Language | Assembly |
| Platform | DOS |
| Infection Length | 3 disk sectors |
| Reported Costs | |
Form is a boot sector virus from the 1990's. It often topped charts for the most common virus. Form was extremely long-lived, on the list of viruses in the wild up until 2006, 16 years after its initial release.
Behavior
When an infected disk is booted, the virus becomes memory resident. In memory, it takes up 2 kilobytes. It infects any disks that are used on the system. The virus will only infect the hard drive when the computer is booted from a floppy. Unlike most boot viruses that infect hard drives, Form actually infects the hard drive's boot sector rather than the master boot record. It overwrites the boot sector and places the rest of itself and a copy of the original boot sector on two sectors of the disk that will be marked as bad. The extra sectors will contain the text, which is never displayed:
The FORM-Virus sends greetings to everyone who's reading this text.
FORM doesn't destroy data! Don't panic! Fuckings go to Corinne.
Form's payload activates on the 18th of any month. The user will hear a clicking noise every time a key is pressed. There may be a barely noticable delay between keys being pressed and text appearing on the screen. The activation of this payload will fail if the keyboard driver is already loaded.
It also has an unintended payload that may destroy data. It fails to correctly infect volumes that are not DOS FAT. On some non-FAT file systems, especially NTFS, the computer will not boot if the sectors at the end of the partition are overwritten.
Variants
There are several variants, all of them functionally similar to the original. Some of the payload dates are different.
Effects
The virus was particularly prevalent in schools in the Zug canton of Switzerland, not far from its alleged point of origin in Zurich, shortly after its release. It very quickly became one of the most common viruses of the 1990's. This is sometimes attributed to the fact that the virus was so quiet and (for 16-bit FAT systems) completely non-destructive. It was still on the list of wild viruses as of January in 2006, but fell off that list in the next month.
Around 5 times, Form came installed in vendor software. In late 1991, it came in a C++ library disk. In summer of the next year, it was found in an Army hazardous materials tracking disk. In spring of 1993, it came in a UK edition of Hoskyns Project Manager Workbench. In February of 1995, it was accidentally shipped twice, once in Mitsumi Mouse drivers and in thousands of unspecified Microsoft disks.
Sources
Morton Swimmer. University of Hamburg, Virus Test Center, Computer Virus Catalog 1.2: "Form" Virus. 1990.06.05
Mikko Hypponen. F-Secure, F-Secure Virus Descriptions : Form.
The WildList Organization International, PC Viruses In-the-Wild - January, 2006.
McAfee Antivirus, Virus Profile: FORM. 1990.06.15
Attrition.org, Certified Pre-0wned.