Form

Please read the the instructions for disinfecting DOS boot record viruses that store the boot sector.

Note: If you find Form on a Windows NT/2000 computer, do not switch it off. The system will most likely not restart, and it will be difficult to restore. Contact qualified anti-virus technical support immediately.

Form originated from Switzerland and has been one of the most common viruses for a number of years. Unlike most boot viruses, it infects the boot sector of the active partition instead of the master boot sector.

Form triggers on the 18th of every month. If the keyboard has US settings it produces a click every time a key is pressed.

On infection, the virus overwrites the partition boot sector with its own code, saving the original partition and a sector of its own code in the last two sectors of the partition. Form does not allocate or otherwise protect these sectors in any way, but since the FAT file system allocates sectors from the beginning of the disk, they will not be overwritten unless the disk fills up completely.

Unfortunately, Form assumes that the active partition is a DOS FAT partition. This is fatal under non-DOS operating systems - if the sectors at the end of the partition are written to, the computer will not start. Windows NT appears particularly vulnerable to this problem, and therefore a Form infection on NT can cause major problems.

Under DOS (and 16-bit Windows) however, Form exists inconspicuously, and this is largely why it is so widespread.

There are several variants with minor differences.