-----------------------------------------------------------------------------
 WildList Notes - (c)1995 Joe Wells - c1jwells@watson.ibm - wildlist@aol.com
-----------------------------------------------------------------------------

Virus Name:  Form

Aliases:     [none]

Infects:     DOS boot sector on hard and floppy disks.

Disk Size:   2 sectors.

Location:    Second virus sector, followed by original boot sector, 
             stored on floppy diskettes in an unused cluster, which 
             is marked as bad. Chkdsk will report 1024 bytes (1k) in 
             bad sectors on diskette.

             On hard disk, the second sector and original boot are stored 
             in the last two sectors of the infected partition. Not in the
             last two sectors on the physical drive as some reports state.

Memory Size: The virus reserves 2k of memory by modifying the available
             memory word at 40:13. On a 640k system the value will be 
             changed from 280h to 27Eh. Chkdsk will report 653312 bytes 
             (638k) of memory free.

Location:    On a 640k system the virus will reside at segment 9FB0h.

Special:     The date check uses a function not supported before ATs.

Effects:     When triggered (see below), the virus produces a clicking 
             sound when keys are pressed.

Trigger:     Booting on the 18th day of any month.

Messages:    (Not displayed) "The FORM-Virus sends greetings to everyone 
             who's reading this text. FORM doesn't destroy data! Don't 
             panic!" There is also a short, obscene message to "Corinne". 

             The messages are visible in the second virus sector and, in 
             memory, at offset 70h in the virus segment (9FB0:70 on a 640k 
             system).

Bugs:        One problematic, one potentially dangerous. The first is that 
             the virus does not retry disk reads and will hang the system 
             on a read failure. The second is that the virus does not 
             protect the two sectors at the end of an infected partition. 
             Thus, the second virus sector and original boot sector
             may be overwritten. This will make the partition unbootable.

Origin:      Probably Switzerland, in 1991.

Notes:       The virus uses an interrupt 1Ah call (function 4) to get the 
             current date and checks the dl register for a value of 18h. 

             Some early researchers reported that the virus would trigger
             on the 24th of any month (since 18h = 24 decimal). The 
             function call, however, returns a BCD (binary coded decimal)
             value. So 18h means 18 decimal, thus the 18th day of the
             month is tested for. This mistake further led to reports of 
             Form triggering on the 18th being attributed to a variant 
             dubbed Form-18. Actually Form-18 is Form. There is no Form-24.

