Name         : Sachsen NO.3

     Aliases      : No Aliases

     Type/Size    : Boot/2048

     Clones       : No Clones

     Symptoms     : No Symptoms

     Discovered   : ?

     Way to infect: Boot infection

     Rating       : Dangerous

     Kickstarts   : 1.2/1.3/2.0

     Damage       : Overwrites boot + block 2,3 + other blocks (!!)

     Manifestation: -

     Removal      : Install boot.

     Comments     : The Sachsen 3-Virus consits of 2 Parts.

                   1) The Loader-Routine-Part for the Main-Part.
                       (=>Block 0,1)

                   2) The MAIN-Part with infection-Routines.  
                       (=>Block 2,3)

                    The virus copies itself to $78000 and changes the
                    Cool-Capture to stay resident in memory. To infect
                    other disks the virus patches to DoIO()-Vector.
                    Additionally the virus patches the Wait()-Vector.
                    Imagine you are inserting an uprotected, clean disk:

                   1) The virus checks the infectionvalue. If this value
                      is greater than 3 the virus calculates a block
                      depending of $DFF006 and destroys it with the 
                      string "SACHSEN3". If the value is greater than
                      12 the virus shows an alert:

              "SACHSEN VIRUS NO.3 in Generation : XXXXX is running..."

                      (The X depends of the Generation !)

                   2) The Virus relabels the disk in "SACHSEN VIRUS NO.3
                      ON DISK !!!" by loading block 370 (!!!!)
                      (That means for HD-Disk Users = Block 370 
                       DESTROYED!)

                   3) The virus writes 2048 bytes. (Loader+Main-part)
                      Block 2,3 = DESTROYED !!




    SHI - A.D 08-94

[Go back]