VIRUS HELP TEAM




     ------------------------
     Amiga Virus Encyclopedia
     Sachsen 3 Virus
     ------------------------

    
     Name         : Sachsen 3

     Aliases      : No Aliases

     Type         : Bootblock
     
     Size         : 2048 bytes

     Symptoms     : No Symptoms

     Discovered   : ?

     Way to infect: Boot infection

     Rating       : Dangerous

     Kickstarts   : 1.2
                    1.3
                    2.0

     Damage       : Overwrites boot + block 2,3 + other blocks (!!)

     Manifestation: -

     Removal      : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                    Kickstart all others: VirusZ III v1.04ß or higher, and also Xvs.library v33.47 or higher

     Comments     : The Sachsen 3-Virus consits of 2 Parts.

                   1) The Loader-Routine-Part for the Main-Part.
                       (=>Block 0,1)

                   2) The MAIN-Part with infection-Routines.  
                       (=>Block 2,3)

                    The virus copies itself to $78000 and changes the
                    Cool-Capture to stay resident in memory. To infect
                    other disks the virus patches to DoIO()-Vector.
                    Additionally the virus patches the Wait()-Vector.
                    Imagine you are inserting an uprotected, clean disk:

                   1) The virus checks the infectionvalue. If this value
                      is greater than 3 the virus calculates a block
                      depending of $DFF006 and destroys it with the 
                      string "SACHSEN3". If the value is greater than
                      12 the virus shows an alert:

                      "SACHSEN VIRUS NO.3 in Generation : XXXXX is running..."

                      (The X depends of the Generation !)

                   2) The Virus relabels the disk in "SACHSEN VIRUS NO.3
                      ON DISK !!!" by loading block 370 (!!!!)
                      (That means for HD-Disk Users = Block 370 
                       DESTROYED!)

                   3) The virus writes 2048 bytes. (Loader+Main-part)
                      Block 2,3 = DESTROYED !!

     Test made by : Safe Hex International
     
     
     Screenshot of Sachsen NO.3 virus:
     

     Ascii of Sachsen 3 virus:
        
   
     


Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk