------------------------
Amiga Virus Encyclopedia
Little Sven Virus
------------------------
Name : Little Sven
Aliases : Cameleon
Clones : No Clones
Type : Bootblock
Size : 2048 bytes
Symptoms : No Symptoms
Discovered : 7 may 1992
Way to infect: Boot infection
Rating : Very Dangerous
Kickstarts : 1.2
1.3
2.0
Damage : Overwrites block 3 & 4 + crypts blocks
Removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04ß or higher, and also Xvs.library v33.47 or higher
Comments : The Little Sven-Virus is a very dangerous one. The
length of the virus is 2048 byte. The virus saves
the original bootblock of every infected disk in
block 2, 3 so this bootblock will executed even
when the disk is infected. If you are starting a
Little Sven infected disk the virus makes itself
resident by changing the CoolCapture-Vector. After
that the virus loads the OriginalBB from block 2 & 3
To infect other disks the virus uses the BeginIO()
vector from the trackdisk.device. Additionally the
virus patches the DisplayAlert()-Vector from the
intuition.library and the Supervisor()-Vector from
the exec.library. After initialising all this virus
routines the originalBB will be executed.
DisplayAlert-Patch:
-This patch forbids all alerts. That means no alerts
will be shown anymore.
Supervisor-Patch:
-This patch sets the CoolCapture to the virusvalue.
BeginIO-Patch (Infections-Patch):
Case 1: You are insetring a unprotected disk.
1) The virus checks if the disk is already infected
If Yes: The virus checks if the bb-access was
a read-access.
-> Yes: the virus loads the OriginalBB
from block 2, 3.
That Means if you want to see
the booblock of an infected disk
the virus shows you always the
original one.
-> No: End.
If No: The virus checks if this is the 3rd
infection.
-> Yes: The virus will execute a
routine which writes data on
your disk. -> DAMAGED!!!
-> No: The virus loads the OriginalBB
of the disk, copies it to block
2, 3 and infect the disk.
Block 2, 3 are now damaged. No salvage possible.
The Bootblock AND the original bootblock are
crypted. (The virusbb is crypted depending of
$DFF007)
BeginIO()-Patch (Infections-Patch):
Case 2: A block will be loaded from an unprotected
disk.
1) The virus will check the actual block for a
byte-mark ($ABCD).
If Yes: The block was already crypted, so
decrypt.
If No: The virus checks for the value 8 in the
1st longword (= DATA)
-> Yes: Inserts the byte-mark $ABCD and
crypts the block.
-> No: End.
That means you can read such blocks just when the
virus is active in memory. But now imagine you have
an infected disk with crypted blocks on it. Now you
copy a normal DOS-BB on this disk and you are
booting with it.
----> YOU WILL GET A READ/WRITE ERROR or A CHECKSUM
ERROR.
So please use a good viruskiller which can also
decrypt such blocks. E.G. VT or VirusWorkshop.
In the end of the decrypted bootblock you can read:
"The Curse of Little Sven!"
See also X-Copy v5.6-Trojan which installs this virus
Test made by : Safe Hex International
Ascii of Little Sven Bootblock virus (Decoded):
