Little Sven Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



     ------------------------
     Amiga Virus Encyclopedia
     Little Sven Virus
     ------------------------

 
     Name         : Little Sven

     Aliases      : Cameleon

     Clones       : No Clones

     Type         : Bootblock
     
     Size         : 2048 bytes

     Symptoms     : No Symptoms

     Discovered   : 7 may 1992

     Way to infect: Boot infection

     Rating       : Very Dangerous

     Kickstarts   : 1.2
                    1.3
                    2.0

     Damage       : Overwrites block 3 & 4 + crypts blocks

     Removal      : Use good Viruskiller

     Comments     : The  Little Sven-Virus  is a very dangerous one. The
                    length  of the  virus is 2048 byte.  The virus saves
                    the  original bootblock  of every  infected  disk in
                    block 2,  3 so  this  bootblock  will  executed even 
                    when the disk  is  infected.  If you  are starting a
                    Little  Sven infected  disk the  virus  makes itself
                    resident by  changing the  CoolCapture-Vector. After
                    that the virus loads the OriginalBB from block 2 & 3
                    To infect  other disks  the virus uses the BeginIO()
                    vector  from  the trackdisk.device. Additionally the
                    virus patches  the  DisplayAlert()-Vector  from  the
                    intuition.library  and the  Supervisor()-Vector from
                    the exec.library.  After initialising all this virus
                    routines the originalBB will be executed.

                    DisplayAlert-Patch:
                    -This patch forbids all alerts. That means no alerts
                     will be shown anymore.

                    Supervisor-Patch:
                    -This patch sets the CoolCapture to the virusvalue.

                    BeginIO-Patch (Infections-Patch):
                    Case 1: You are insetring a unprotected disk.

                     1) The virus checks if the disk is already infected
                        If Yes: The virus checks if the bb-access was
                                a read-access.

                                -> Yes: the virus loads the OriginalBB
                                        from block 2, 3.
                                        That Means if you want to see
                                        the booblock of an infected disk
                                        the virus shows you always the
                                        original one.
                                ->  No: End.

                        If  No: The virus checks if this is the 3rd 
                                infection.
                                -> Yes: The virus will execute a 
                                        routine which writes data on
                                        your disk. -> DAMAGED!!!
                                ->  No: The virus loads the OriginalBB
                                        of the disk, copies it to block
                                        2, 3 and infect the disk.

                        Block 2, 3 are now damaged. No salvage possible.
                        The Bootblock AND the original bootblock are 
                        crypted. (The virusbb is crypted depending of
                        $DFF007)

                    BeginIO()-Patch (Infections-Patch):
                    Case 2: A block will be loaded from an unprotected
                            disk.

                     1) The virus will check the actual block for a
                        byte-mark ($ABCD).

                        If Yes: The block was already crypted, so
                                decrypt.

                        If  No: The virus checks for the value 8 in the
                                1st longword (= DATA)

                                -> Yes: Inserts the byte-mark $ABCD and
                                        crypts the block.
                                ->  No: End.

                    That means you  can read such  blocks just when the
                    virus is active in memory. But now imagine you have
                    an infected disk with crypted blocks on it. Now you
                    copy a normal DOS-BB on this disk and you are 
                    booting with it.
                    ----> YOU WILL GET A READ/WRITE ERROR or A CHECKSUM
                          ERROR.

                    So please use a good viruskiller which can also
                    decrypt such blocks. E.G. VT or VirusWorkshop.
                    In the end of the decrypted bootblock you can read:

                    "The Curse of Little Sven!"

                    See also X-Copy v5.6-Trojan which installs this virus

     Test made by : Safe Hex International
     
     
     Ascii of Little Sven Bootblock virus (Decoded):
     
 
     

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk