| Alias: | --- |
| Strain: | --- |
| detected when: | October 1988 |
| where: | Helmond (Netherlands) |
| Classification: | System (bootsector) virus, overwriting |
| Length: | 512 Bytes |
Preconditions | |
| Operating System(s): | Atari TOS |
| Version/Release: | All versions |
| Computer model(s): | All Atari ST |
| Caroname: | Freeze |
Attributes | |
| Easy identification: | The words : $487A,$0010 can be found in the boot sector at Positon $100, or in memory at :phystop-$300+$100 (all: hex). |
Type of Infection: | Executable bootsectors are not infected. |
| Infection Technique: | |
| Infection Trigger: | Execution of BIOS disk functions. |
| Storage Media affected: | The virus infects drive A and B. |
| Interrupts hooked: | Timer interrupt installed for damage; hdv_bpb changed to infect bootsector of new disk. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Every second the timer-routine increases a delay counter by 1 and then counting it down to zero; this will slowdown the system. |
| Damage Trigger: | When the virus is booted. |
| Particularities: | If harddisk SH204 is connected, the virus causes an address error and will not be installed. |
| Similarities: | The same installation routine as MAD virus; only different damage action and damage trigger. |
Agents | |
| Countermeasures: | Make sure that virus is not in memory; modify last byte in bootsector to another value. |
| Standard means: | Clear all bytes in bootsector beginning at offset 30 (decimal). |
Acknowledgements | |
| Location: | Virus Test Center, University of Hamburg FRG |
| Classification by: | Thomas Piehl |
| Documentation by: | George R. Woodside |
| Date: | 31-January-1991 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg