Form (computer virus)

Computer virus
Fullname = Form
Common name = Form
Technical name = Form
Family = N/A
Aliases = Form18, Forms
Classification = Virus
Type = DOS
Subtype = Boot virus
IsolationDate = June 1990
Isolation = Switzerland
Origin = Switzerland (?)
Author = Unknown

Form is an unremarkable boot virus. It was isolated in Switzerland in the summer of 1990, and subsequently became very common worldwide. The origin of Form is widely listed as Switzerland, but this may be an assumption based on its isolation locale. The only notable characteristics of Form are that it infects the boot sector instead of the Master Boot Record (MBR) and the clicking noises associated with some infections. Infections under Form can result in severe data damage if operating system characteristics are not identical to those Form assumes.

It is notable for (arguably) being the most common virus in the world for a period during the 1990s.

Infection

Form infects the boot sector. It is only able to infect if the machine is booted from an infected diskette. When an infected diskette is booted from, Form will go into memory, and infect any subsequently inserted disk. Infected disks will have 1,024 bytes of bad sectors.

ymptoms

Form has a range of symptoms, most of which will not be evident in all infections.
*Form's most famous side effect is a clicking noise produced by typing on the keyboard on the 18th of every month. However, this payload very rarely appears on modern computers, as it will not execute if a keyboard driver is installed.
*Form consumes 2KB of memory, and the DOS MEM command will report that this memory is unavailable. This appears on all infections.
*On floppy disks, 1KB of bad sectors will be reported. This appears in all infections.
*The Form data sector contains the text "The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." This is not displayed. Additionally, some versions of Form have had this text removed.
*Form makes the assumption that the active partition is a DOS FAT partition. If this is not true, such as under Windows NT, Form will overwrite in a way that may result in irreversible data loss.

Prevalence

Form has been listed as being spreading by the WildList [http://www.parc.xerox.com/about/history/default.html] since the first ever version of the WildList, in July 1993. It is the only virus listed on the original list to remain on today. However, only two of the list's 82 reporters have identified a Form infection under the latest incarnation of the list, which stands in sharp contrast to when Form was regularly listed as among the most common viruses in the field.

As with most boot viruses, a Form infection is a rare find in modern times. Since the advent of Windows, boot viruses have become increasingly uncommon, including Form. Generally, Form infections are due to the use of floppy disks infected during the original pandemic that have since been taken out of storage.

Variants

Form has a number of variants. The widely documented versions are as follows.
*Form.B is a minor variant of the original, with the clicking payload set for the 18th of each month instead of the 24th. It was a rare find in the field during the mid1990s, but has since become obsolete.
*Form.C is a virtually undocumented, trivial variant of the original. It is suggested that Form.C is another minor variant of Form, except only activates in May. Like Form.B, it was documented as being discovered rarely in the wild during the mid-1990s.
*Form.D is the most common version of Form besides the original. Some reports indicate that it affects the partition table in some way. It was a somewhat common in 1997 and 1998.
*FormII is an undocumented variant.
*Form-Canada is an undocumented variant.

External links

* [http://www.f-secure.com/v-descs/form.shtml F-Secure]
* [http://www.ciac.org/ciac/virdb/VIRS0429.TXT CIAC]
* [http://www.sophos.com/virusinfo/analyses/form.html Sophos]
* [http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=473 McAfee]