VIRUS HELP TEAM Amiga Antivirus Website www.vht-dk.dk
------------------------
Amiga Virus Encyclopedia
Zenker Virus
------------------------
Name : Zenker
Aliases : No Aliases
Type/Size : Boot
Size : 2048
Clone : Ingo is back
Symptoms : No Symptoms
Discovered : No date yet
Way to infect: Boot infection
Rating : Dangerous
Kickstarts : 1.2/1.3/2.0
Damage : Overwrites boot + Destroy Block 896.
Removal : Install boot.
Comments : The Zenker-Virus is a very confusing one. The virus
itself is located in block 896. Furthermore the
OriginalBootblock of the Disk is located there. In
the bootblock there is just the loader which loads the
loads the virus AND the original bootblock to address
$7F800.
First, the virus executes the original bootblock which
is now located at address $7FC00. That means the
bootblock that was on the disk before infection will
be executed even if the disk is infected. In the boot-
block of an infected disk you can read:
"Commodore Bootloader (20 Oct 1987)"
This should confuse the users. Imagine you are booting
with a clean, unprotected disk:
- The virus scans for block 880. Because of that it's
very unlikely that the virus infects a HD-Disk.
- The virus loads the bootblock from the disk and checks
if it is already infected.
- If NO, the virus inserts in this bootblock (at the
begining) "== ZENKER ==".
- Now the virus writes first the VirusLoader on the boot
block and then saves the main-virus+origina bootblock
on block 896. These blocks are DAMAGED and cannot be
repaired.
Info : This virus is a new type of virus. It only uses a loaderroutine in
the ordinary bootsectors and all the virusparts are put in the sec
from 896-898. The original BB will be written to the sectors 898-
900. That means that the sectordata 896-900 will be destroyed 100%
and cannot be fixed. What happens, if the headerblocks and other
structures are in this sectors ?. You can forget this files. VW
offers you the possibility to rewrite the BB from 898 to sector 0.
In some cases this might work(for games with bootloaders ect.) but
in the most cases your disc is damaged and not useable anymore.
It can happen that the RDB block from your harddisc becomes over-
written. In this case it is too late. You can only restore the
backup of your RDB sectors (you surely have one!) and hope that
the information on sector 896-900 were not too important.
The virus uses some memory without allocating it.It uses $7f500
without allocating this memory space.
The Virus tries to look like a normal bootblockloader with the
string "COMMODORE Bootblockloader ....)....
In the viruscode you can read:
"NOW I`M IN THE XX GENERATION."
and
"ONLY THE ZENKER CAN COPY IT!"
Antivirus : Kickstart 1.2 & 1.3..... : VT-Schutz
Kickstart 2.0 and higher : VirusZ III, with the new Xvs.library installed
Test made by : Markus Schmall
Ascii of Zenker virus:
Ascii of Zenker Ingo virus:
Ascii of Zenker Ingo virus:
