home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Amiga MA Magazine 1998 #3
/
amigamamagazinepolishissue1998.iso
/
bazy
/
virus_base
/
virus
/
z
/
zenker
< prev
next >
Wrap
Text File
|
1995-01-25
|
2KB
|
68 lines
Name : Zenker
Aliases : No Aliases
Type/Size : Boot/2048
Clone : Ingo is back
Symptoms : No Symptoms
Discovered : No date yet
Way to infect: Boot infection
Rating : Dangerous
Kickstarts : 1.2/1.3/2.0
Damage : Overwrites boot + Destroy Block 896.
Removal : Install boot.
Comments : The Zenker-Virus is a very confusing one. The virus
itself is located in block 896. Furthermore the
OriginalBootblock of the Disk is located there. In
the bootblock there is just the loader which loads the
loads the virus AND the original bootblock to address
$7F800.
First, the virus executes the original bootblock which
is now located at address $7FC00. That means the
bootblock that was on the disk before infection will
be executed even if the disk is infected. In the boot-
block of an infected disk you can read:
"Commodore Bootloader (20 Oct 1987)"
This should confuse the users. Imagine you are booting
with a clean, unprotected disk:
- The virus scans for block 880. Because of that it's
very unlikely that the virus infects a HD-Disk.
- The virus loads the bootblock from the disk and checks
if it is already infected.
- If NO, the virus inserts in this bootblock (at the
begining) "== ZENKER ==".
- Now the virus writes first the VirusLoader on the boot
block and then saves the main-virus+origina bootblock
on block 896. These blocks are DAMAGED and cannot be
repaired.
- That`s it.
In the viruscode you can read:
"NOW I`M IN THE XX GENERATION."
and
"ONLY THE ZENKER CAN COPY IT!"
A.D 08-94
