Fandom

Virus Information

Exebug

245pages on
this wiki
Add New Page
Talk0 Share



Exebug
Type Boot sector virus
Creator
Date Discovered 1992.09
Place of Origin South Africa
Source Language Assembly
Platform DOS
Infection Length
Reported costs

Exebug is a boot sector virus and the first virus capable of modifying the CMOS. It also trojanizes .exe files.

BehaviorEdit

When a disk infected with Exebug is booted, the virus installs itself in high memory just below the DOS 640k boundry. It moves the original hard drive boot sector to the last sector of Side 0, Cylinder 0, then replaces itself on that sector's original location.

The virus modifies the CMOS so the computer can no longer see disk drives other than the hard disk. It makes some effort to make the system look normal although it can be detected via the "chkdsk" utility whereupon an infected system will only show 654360 bytes of conventional memory (1024 bytes missing). The floppy drives are kept disabled long enough to ensure the system boots from the hard disk.

It infects floppy disks whenever they are accessed. On 360 kilobyte diskettes, it moves the original boot sector to Side 0, Track 40, Sector 1. For 1.2 megabyte floppies, it moves the sector to Side 0, Track 80, Sector 1.

The virus has stealth capabilities, as when a program tries to access the master boot record, the virus points the program to the original boot sector.

OriginEdit

Exebug's country of origin is uncertain but very likely originated from the Pretoria, South Africa vicinity in 1992 according to Paul Ducklin from the CSIR. Mikko Hypponen of F-Secure also believes it comes from South Africa, while Patricia Hoffman of VSUM believes it could originate from Switzerland or Australia. Its possible Swiss origin is the reason it sometimes goes by the name Swiss Boot.

SourcesEdit

Mikko Hypponen. F-Secure Antivirus, F-Secure Virus Descriptions : ExeBug.

Patricia Hoffman. Online VSUM. Exebug Virus.

McAfee Antivirus, Exebug.

Securelist.com, Virus.Multi.ExeBug.a.

VIRUS-L Digest Newsletter, November 1992.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.