| Alias: | --- |
| Strain: | --- |
| detected when: | May 1989 |
| where: | Utrecht (Netherlands) |
| Classification: | Boot sector virus |
| Length: | 456 Bytes (512) |
Preconditions | |
| Operating System(s): | Atari TOS |
| Version/Release: | ROM TOS from 02.06.1986; in other versions, virus will not b |
| Computer model(s): | All Atari ST |
| Caroname: | SCREEN |
Attributes | |
| Easy identification: | In memory at Phystop +34 and in the boot sector at the same offset, the following bytes can be found: $0206198600FC0018 |
Type of Infection: | Boot sector of drive A. |
| Infection Technique: | |
| Infection Trigger: | Usage of drive A. |
| Storage Media affected: | Drive A. |
| Interrupts hooked: | 200 Hz interrupt($114) for time-control and damage. hdv_bpb to infect bootsector. Critical Error Handler at infection time. Phystop is decremented by 512. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | The screen is blacked out from bottom to middle and from top to middle at same time; no more action can be performed as screen is permanently black. |
| Damage Trigger: | Between 3 and 30 minutes (depends on value of 200 Hz timer; action when timer >=360000). |
| Particularities: | Only boot sectors that are not executable are in- fected. The word at offset 30 from beginning of bootsector varies from infection to infection. If a reset is performed, the virus becomes inactive but is still in RAM. If the virus is on a disk used after reset and the damage was active before reset, it reappears after 3 minutes. |
| Similarities: | Same screen damage as BLOT VIRUS (same routine). |
Agents | |
| Countermeasures: | Make sure that the virus is not in memory. Search boot sector for the string mentioned above. Modify the last byte in boot sector to another value. |
| Standard means: | Clear all bytes in boot sector beginning at offset 30 decimal. |
Acknowledgements | |
| Location: | Virus Test Center, University of Hamburg, FRG |
| Classification by: | Ronald Greinke |
| Documentation by: | Ronald Greinke |
| Date: | 5-June-1990 |
| Information Source: | George R. Woodside |
(c) 1996 Virus-Test-Center, University of Hamburg