Amiga Virus Encyclopedia
Little Sven Virus
Name : Little Sven
Aliases : Cameleon
Type/Size : Boot/2048
Clones : No Clones
Symptoms : No Symptoms
Discovered : 07-05-92
Way to infect: Boot infection
Rating : Very Dangerous
Kickstarts : 1.2/1.3 not properly with 2.0, but it works.
Damage : Overwrites block 3 & 4 + crypts blocks.
Removal : Use good Viruskiller.
Comments : The Little Sven-Virus is a very dangerous one. The
length of the virus is 2048 byte. The virus saves
the original bootblock of every infected disk in
block 2, 3 so this bootblock will executed even
when the disk is infected. If you are starting a
Little Sven infected disk the virus makes itself
resident by changing the CoolCapture-Vector. After
that the virus loads the OriginalBB from block 2 & 3
To infect other disks the virus uses the BeginIO()
vector from the trackdisk.device. Additionally the
virus patches the DisplayAlert()-Vector from the
intuition.library and the Supervisor()-Vector from
the exec.library. After initialising all this virus
routines the originalBB will be executed.
-This patch forbids all alerts. That means no alerts
will be shown anymore.
-This patch sets the CoolCapture to the virusvalue.
Case 1: You are insetring a unprotected disk.
1) The virus checks if the disk is already infected
If Yes: The virus checks if the bb-access was
-> Yes: the virus loads the OriginalBB
from block 2, 3.
That Means if you want to see
the booblock of an infected disk
the virus shows you always the
-> No: End.
If No: The virus checks if this is the 3rd
-> Yes: The virus will execute a
routine which writes data on
your disk. -> DAMAGED!!!
-> No: The virus loads the OriginalBB
of the disk, copies it to block
2, 3 and infect the disk.
Block 2, 3 are now damaged. No salvage possible.
The Bootblock AND the original bootblock are
crypted. (The virusbb is crypted depending of
Case 2: A block will be loaded from an unprotected
1) The virus will check the actual block for a
If Yes: The block was already crypted, so
If No: The virus checks for the value 8 in the
1st longword (= DATA)
-> Yes: Inserts the byte-mark $ABCD and
crypts the block.
-> No: End.
That means you can read such blocks just when the
virus is active in memory. But now imagine you have
an infected disk with crypted blocks on it. Now you
copy a normal DOS-BB on this disk and you are
booting with it.
----> YOU WILL GET A READ/WRITE ERROR or A CHECKSUM
So please use a good viruskiller which can also
decrypt such blocks. E.G. VT or VirusWorkshop.
In the end of the decrypted bootblock you can read:
"The Curse of Little Sven!"
-> See also Xcopy5.6-Trojan which installs this
SHI - A.D 05-94