| Alias: | --- |
| Strain: | --- |
| detected when: | --- |
| where: | Utrecht (Netherlands) |
| Classification: | System (Boot sector) Virus, Reset-resident |
| Length: | 512 Bytes |
Preconditions | |
| Operating System(s): | Atari TOS |
| Version/Release: | TOS 1.0 and 1.2 |
| Computer model(s): | Atari ST |
| Caroname: | Kobold_2 |
Attributes | |
| Easy identification: | If the boot sector is infected, the string 'KOBOLD#2 AKTIV!' can be found in the middle of the boot sector; in memory, this string can be found at beginning of transient programm area (TPA). |
Type of Infection: | Any boot sector that can be written to. |
| Infection Technique: | |
| Infection Trigger: | Execution of XBIOS disk functions. Execution of boot code. |
| Storage Media affected: | Drive which is set as boot device or accessed by XBIOS. |
| Interrupts hooked: | Vertical Blank Interrupt at infection time; hdv_bpb (harddisk bios parameter block); resetvector. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: Overwriting Bootsectors. Transient Damage: Speeding up mouse motion in directions UP and LEFT. |
| Damage Trigger: | Internal counter |
| Particularities: | With TOS 1.2, mouse motion is not changed. |
| Similarities: | --- |
Agents | |
| Countermeasures: | Make sure that the virus is not in memory. Search boot sector for string mentioned above. Modify last byte in boot sector to other value. |
| Standard means: | Clear all bytes in boot sector beginning at offset 30 decimal. |
Acknowledgements | |
| Location: | Virus Test Center, University of Hamburg FRG |
| Classification by: | |
| Documentation by: | Thomas Piehl |
| Date: | 5-June-1990 |
| Information Source: | George R. Woodside |
(c) 1996 Virus-Test-Center, University of Hamburg