| Alias: | - |
| Strain: | - |
| detected when: | May 1989 |
| where: | Utrecht (Netherlands) |
| Classification: | System (Boot sector) Virus |
| Length: | 512 Bytes |
Preconditions | |
| Operating System(s): | Atari TOS |
| Version/Release: | TOS 1.2 |
| Computer model(s): | All Atari ST |
| Caroname: | GOBLINS |
Attributes | |
| Easy identification: | The string "The Little Green Goblins" can be found in the boot sector $1B6, or in memory at pystop -$8200 +$1B6. |
Type of Infection: | The actual boot sector will be overwritten. |
| Infection Technique: | |
| Infection Trigger: | Execution of BIOS disk function Getbpb. |
| Storage Media affected: | Floppy disk drive with device 0 (A:) or 1 (B:). |
| Interrupts hooked: | hdv_bpb vector (used by BIOS disk Getbpb). |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | - First text line or menu line is modified until next execution of the damage routine. - A message is printed on the screen. |
| Damage Trigger: | Copy Counter in Memory: (Counter mod 16) = 0 : Modify screen (Counter mod 128)= 0 : Print message. |
| Particularities: | The virus is reset-resident! |
| Similarities: | --- |
Agents | |
| Countermeasures: | Make sure that the virus is not in memory. Modify the last byte in boot sector to other value. |
| Standard means: | Clear all bytes in boot sector beginning at offset 30 (decimal). |
Acknowledgements | |
| Location: | Virus Test Center, University of Hamburg, FRG |
| Classification by: | Andre' Schaper |
| Documentation by: | Andre' Schaper |
| Date: | 5-June-1990 |
| Information Source: | George R. Woodside |
(c) 1996 Virus-Test-Center, University of Hamburg