Little Sven

Introduction

Little Sven is a computer virus written for the Commodore Amiga. It is a bootvirus discovered in 1992, so one of the newer bootviruses on Amiga.
All in all a very dangerous and one of the "better" ones among the other bootviruses. The virus has been spread by using a fake-version of the wellknown disk-copying program XCopy by Cachet Software.

Summary

  • Overwrites the original bootblock of any unprotected disk inserted in the floppydrive.
  • Uses BeginIO()-vector of the trackdisk.device for infection
  • Alters DisplayAlert()-vector of the intuition.library
  • Alters FreeSignal()- and Supervisor()-vector of the exec.library
  • Stays resident in memory by using the CoolCapture
  • Is fully encrypted, each infection new by using register $dff006.
  • Decrypts FileSystem datablocks
  • Works also with newer Amigas (Kickstart 2.0, 3.0) and higher CPUs (68020,030,040)
  • Destroys whole data on disks depending on a trigger
  • Saves original bootblock to block 2,3
  • Uses stealth-techniques to hide infection

Details

After booting with an infected disk the virus allocates and registers 2120 bytes of ChipRAM and copies itself to this memory location. After that the virus alters the FreeSignal()-vector of the exec.library and finally loads and executes the original bootblock which has been stored at block 2,3 on previous infection.
The FreeSignal()-hook will then be triggered later by the AmigaOS, then the virus will first restore the FreeSignal()-vector to it's original ROM-value. After that the virus uses the CoolCapture to make itself resident and finally patches the BeginIO()-vector of the trackdisk.device, the DisplayAlert()-vector of the intuition.library and finally the Supervisor()-vector of the exec.library.
To find itself in memory the virus uses the following self-check:

chk:
  movea.l -$14E(a6),a2
  cmpi.w  #$17AB,-6(a2)   ; Selfcheck

The DisplayAlert()-hook is pointing to a routine which disables the vector:

donothing:
  moveq #0,d0
  rts

This is done to prevent programs to display an alert; maybe anti-virus programs who want to tell the user that something suspicious is in memory.

The Supervisor()-hook is used to alter the above vectors again each time Supervisor() is called by the AmigaOS (very often :-)).

The BeginIO()-hook of the trackdisk.device is used for infection. So if an unproteced disk is inserted in the floppy drive the virus will first check if the disk is already infected.
If not the virus will first save the original bootblock to block 2,3 and encrypts it. Then it will infect the bootblock. If this disk gets booted afterwards the virus will load the original bootblock from 2,3.
If file-data has been stored on block 2,3 before the affected file is destroyed. The virus does not allow any write-access on these blocks, instead write-access to block 2 is redirected to block 4 and write-access to block 3 is redirected to block 5
This will of course destroy the data on these blocks, too.

If a bootblock is written to a disk the virus intercepts this process and redirects the write-access to block 2,3 afterwards the virus will be written to the bootblock.
Each 3rd infection the virus will destroy the just inserted disk. You can format such a disk without worries, its content is gone :-(

Besides infection, the BeginIO()-hook is also used to en- and decrypt datablocks: If files on unprotected disks are accessed (reading files, starting executables etc…) the virus will en- and decrypt them respectively. A normal OldFileSystem datablock begins with the longword $00000008, this will be marked with the word $ABCD (resulting in $ABCD00008) and the whole block will be crypted with following loop:

This data will be decrypted if the virus is active in memory (encrypted blocks will be recognized by the $ABCD-tag). This means if you remove the virus you cannot read the affected data correctly anymore and following dialog will be shown by the AmigaOS:

sven_error.gif

If the virus is active the data will be read fine. This technique has been introduced by the Saddam virus.

Here is a diskblock before encryption:

0000h: 00 00 00 08 00 00 03 84 00 00 00 01 00 00 01 E8 ; .......„.......è
0010h: 00 00 03 86 30 2C AB F6 00 00 03 F3 00 00 00 00 ; ...†0,«ö...ó....
0020h: 00 00 00 01 00 00 00 00 00 00 00 00 00 00 13 4C ; ...............L
0030h: 00 00 03 E9 00 00 13 4C 7E 00 41 FA 00 E4 4B F9 ; ...é...L~.Aú.äKù
0040h: 00 DF F1 80 D1 FC 00 00 4C 48 43 F9 00 05 13 72 ; .ßñ€Ñü..LHCù...r
0050h: 24 60 D5 C9 20 20 E2 88 66 02 61 34 65 6A 72 08 ; $`ÕÉ  âˆf.a4ejr.
0060h: 76 01 E2 88 66 02 61 28 65 3C 72 03 78 00 61 46 ; v.âˆf.a(e<r.x.aF
0070h: 36 02 D6 44 72 07 E2 88 66 02 61 14 E3 92 51 C9 ; 6.ÖDr.âˆf.a.ã’QÉ
0080h: FF F6 15 02 51 CB FF EE 60 26 72 07 78 08 60 DE ; ÿö..QËÿî`&r.x.`Þ
0090h: 20 20 1E 00 3A 87 44 FC 00 10 E2 90 4E 75 72 09 ;   ..:‡Dü..âNur.
00a0h: 36 02 D2 42 54 43 61 0E 15 32 20 FF 51 CB FF FA ; 6.ÒBTCa..2 ÿQËÿú
00b0h: B3 CA 6D A2 60 38 53 41 74 00 E2 88 66 02 61 D0 ; ³Êm¢`8SAt.âˆf.aÐ
00c0h: E3 92 51 C9 FF F6 4E 75 72 02 61 EA 0C 02 00 02 ; ã’QÉÿöNur.aê....
00d0h: 6D CC 0C 02 00 03 67 B2 72 08 61 DA 36 02 58 43 ; mÌ....g²r.aÚ6.XC
00e0h: 72 0B 60 C2 20 54 45 54 52 41 47 4F 4E 20 7E 97 ; r.`Â TETRAGON ~—
00f0h: 41 F9 00 05 00 00 45 F9 00 05 7F 64 10 19 B0 07 ; Aù....Eù..d..°.

… and here the same block after encryption by the virus (please note the $ABCD-tag at the beginning):

0000h: AB CD 00 08 F8 F7 F5 71 F4 F3 F2 F0 F0 EF EF 05 ; «Í..ø÷õqôóòððïï.
0010h: EC EB E9 6F D8 CB 4D 13 E4 E3 E1 12 E0 DF DE DD ; ìëéoØËM.äãá.àßÞÝ
0020h: DC DB DA D8 D8 D7 D6 D5 D4 D3 D2 D1 D0 CF DD 81 ; ÜÛÚØØ×ÖÕÔÓÒÑÐÏ݁
0030h: CC CB C9 20 C8 C7 D5 89 BA C3 83 3B C0 5B F5 44 ; ÌËÉ ÈÇÕ‰ºÃƒ;À[õD
0040h: BC 64 4B 39 69 4B B6 B5 F8 FB F1 48 B0 AA BD DF ; ¼dK9iK¶µøûñH°ª½ß
0050h: 88 CB 7F 60 88 87 44 2D C2 A1 C3 95 C5 F5 EC 95 ; ˆË`ˆ‡D-¡ÕÅõì•
0060h: EA 9A 78 11 FE 95 F7 BD F1 AF E0 92 E8 8F EF CB ; êšx.þ•÷½ñ¯à’èïË
0070h: BA 89 5C CD FA 80 64 0D E2 81 E3 95 63 ED 2F B4 ; º‰\Íú€d.âã•cí/´
0080h: 83 8D 6F 7B 29 BC 89 9B 14 55 00 76 08 67 0E B3 ; ƒo{)¼‰›.U.v.g.³
0090h: 4C 4B 74 69 52 E0 22 99 64 73 80 F1 2E 2A 2C 54 ; LKtiRà"™ds€ñ.*,T
00a0h: 6A 59 88 1B 0C 14 37 5B 41 61 72 AE 01 84 B1 B7 ; jYˆ...7[Aar®.„±·
00b0h: FF 81 27 EB 28 7F 15 04 30 43 A0 C9 26 3D 5F ED ; ÿ'ë(..0C É&=_í
00c0h: DF A9 6B F0 C7 C1 78 40 46 31 53 DB 3C 2D 2E 2F ; ß©kðÇÁx@F1SÛ<-./
00d0h: 41 E7 26 2B 28 24 41 97 56 2B 43 FB 16 1D 46 5E ; Aç&+($A—V+Cû..F^
00e0h: 6E 10 7A DB 38 43 53 41 46 52 55 5E 5E 2F 70 9A ; n.zÛ8CSAFRU^^/pš
00f0h: 4D F2 0A 0C 08 07 43 FC 04 06 7D 65 10 E6 4E FA ; Mò....Cü..}e.æNú

Also the virus uses a simple but effective stealth mechanism to hide its virus bootblock (similar to the The Lamer Exterminator viruses):
If the virus is not active in memory and you are trying to display the bootblock of an infected disk you will see the encrypted virus-bootblock.
However, if the virus actually is active in memory and you are trying to display the bootblock of an infected disk the virus will become active showing you the original bootblock which was on the disk before (loading it from block 2,3).

Here is an example of displaying an infected bootblock of a disk while the virus is not active:

sven_notclean.png

You clearly can see the encrypted virus. Well, or at least something suspicious as this is obviously no standard bootblock.

And this is the same disk while the virus was active in memory:

sven_clean.png

You will see the original bootblock which was on the disk before. In ths case a standard Commodore bootblock.

At the end of the decrypted bootblock you can see the following text:

03c0h: 69 73 6B 2E 64 65 76 69 63 65 00 20 20 54 68 65 ; isk.device.  The
03d0h: 20 43 75 72 73 65 20 6F 66 20 4C 69 74 74 6C 65 ;  Curse of Little
03e0h: 20 53 76 65 6E 21 20 20 12 3C 00 B1 41 EC 00 18 ;  Sven!  .<.±Aì..

Clones and variants

None

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License