Form

SUMMARY

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Payload Trigger: 18th of every month

Distribution

• Distribution Level: Low
• Target of Infection: DOS

TECHNICAL DETAILS

Form is a virus with viral code that is two sectors in length. Form reserves 2K of memory by modifying the available memory word at 40:13. Thus, on a 640K machine, MEM would report 638K and CHKDSK would report 653,312 bytes of free memory. On the hard drive, the second virus sector and the original boot sector are stored on the last two sectors of the infected drive. The virus does not protect these sectors, so they can be overwritten by data at a later time, making the drive hang during the boot sequence. The drive, however, will still be accessible. On a floppy disk, the virus stores its second sector and the original boot in an unused cluster and marks the cluster as bad in the FAT to protect it. CHKDSK reports 1024 bytes (1K) in bad sectors on an infected floppy disk. Upon booting from an infected disk, the virus checks the date using interrupt 1Ah function 4. The virus checks the value in the dl register for 18. This return is in binary-coded decimal, not hexadecimal , so the virus is testing for the 18th of the month, not the 24th. Some sources mistakenly have the 24th as the trigger date. On the 18th of every month, the virus produces a clicking sound whenever a key is pressed. The second virus sector contains the text:

The FORM-Virus sends greetings to everyone whos reading this text. FORM doesnt destroy data! Dont panic!

It also includes a short, obscene message to someone named Corinne. The message is not displayed, but can be seen by examining the next to last sector on the hard drive partition or the first sector in the bad cluster on a floppy disk with a disk editor. While the Form virus contains no intentionally damaging code, two bugs in the virus may cause problems. First, the virus does not retry disk reads and hangs the system on a failed disk read. Second, the unprotected second sector and original DOS boot sector on the hard disk may be overwritten if the drive fills completely, rendering the drive unbootable.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.