Name         : Little Sven

     Aliases      : Cameleon

     Type/Size    : Boot/2048

     Clones       : No Clones 

     Symptoms     : No Symptoms

     Discovered   : 07-05-92

     Way to infect: Boot infection

     Rating       : Very Dangerous

     Kickstarts   : 1.2/1.3 not properly with 2.0, but it works.

     Damage       : Overwrites block 3 & 4 + crypts blocks.

     Removal      : Use good Viruskiller.

     Comments     : The Little Sven-Virus is a very dangerous one. The
                    length of the virus is 2048 byte. The virus saves
                    the original bootblock of every infected disk in
                    block 2, 3 so this bootblock will executed even 
                    when the disk is infected. If you are starting a
                    Little Sven infected disk the virus makes itself
                    resident by changing the CoolCapture-Vector. After
                    that the virus loads the OriginalBB from block 2 & 3
                    To infect other disks the virus uses the BeginIO()
                    vector from the trackdisk.device. Additionally the
                    virus patches the DisplayAlert()-Vector from the
                    intuition.library and the Supervisor()-Vector from
                    the exec.library. After initialising all this virus
                    routines the originalBB will be executed.

                    DisplayAlert-Patch:
                    -This patch forbids all alerts. That means no alerts
                     will be shown anymore.

                    Supervisor-Patch:
                    -This patch sets the CoolCapture to the virusvalue.

                    BeginIO-Patch (Infections-Patch):
                    Case 1: You are insetring a unprotected disk.

                     1) The virus checks if the disk is already infected
                        If Yes: The virus checks if the bb-access was
                                a read-access.

                                -> Yes: the virus loads the OriginalBB
                                        from block 2, 3.
                                        That Means if you want to see
                                        the booblock of an infected disk
                                        the virus shows you always the
                                        original one.
                                ->  No: End.

                        If  No: The virus checks if this is the 3rd 
                                infection.
                                -> Yes: The virus will execute a 
                                        routine which writes data on
                                        your disk. -> DAMAGED!!!
                                ->  No: The virus loads the OriginalBB
                                        of the disk, copies it to block
                                        2, 3 and infect the disk.

                        Block 2, 3 are now damaged. No salvage possible.
                        The Bootblock AND the original bootblock are 
                        crypted. (The virusbb is crypted depending of
                        $DFF007)

                    BeginIO()-Patch (Infections-Patch):
                    Case 2: A block will be loaded from an unprotected
                            disk.

                     1) The virus will check the actual block for a
                        byte-mark ($ABCD).

                        If Yes: The block was already crypted, so
                                decrypt.

                        If  No: The virus checks for the value 8 in the
                                1st longword (= DATA)

                                -> Yes: Inserts the byte-mark $ABCD and
                                        crypts the block.
                                ->  No: End.

                    That means you can read such blocks just when the
                    virus is active in memory. But now imagine you have
                    an infected disk with crypted blocks on it. Now you
                    copy a normal DOS-BB on this disk and you are 
                    booting with it.
                    ----> YOU WILL GET A READ/WRITE ERROR or A CHECKSUM
                          ERROR.

                    So please use a good viruskiller which can also
                    decrypt such blocks. E.G. VT or VirusWorkshop.
                    In the end of the decrypted bootblock you can read:

                    "The Curse of Little Sven!"

                    -> See also Xcopy5.6-Trojan which installs this
                       virus...



       SHI - A.D 05-94

[Go back]