- B.E.O.L.-LVirus   Link-Virus

       Reason for name (mentioned later)
       Other possible names: Mount-972-Virus, 4EAE-Virus, FFFFFFE9-Virus
       Adds 972 bytes to a file.
       You can read in the decoded link part:
           22006720 4eaeff82 4eaeffa6 6108632f ".g N...N...a.c/
           6d6f756e 7400221f 242afff0 4eaeffe2 mount.".$*..N...
       No hidden vectors
       Not reset proof
       It gets a grip in the memory with the help of DOS structures.
       VOLUME-MsgPort
       It writes $FFFFFFE9 after $202(a6)  (LastAlert)
       KS2.04: yes    (cmpi.b #$25,$15(a6)
       It codes the link part again and again every time. It uses the
       value $DFF006. VT tries to remove it and it tries to set $4EAEuvwx
       to the right value again.
       Test with Syquest-44: after 15 min all important directories were
       totally infected.
       It doesn't work anymore.
       It uses branch instructions used only in newer KSs.
       It hangs itself behind the hunk.
       Execution:
       Test for $03F3      (executable)
       Test for $FFFFFFE9  (already infected)
       Search for $4EAE    ( jsr -xy(Lib-Base) )
                           ( xy is variable, but in most cases openlib)
       If found, test if distance to end of hunk is smaller than $7FFF.
       If not, go ahead with searching.
       If yes ( addi.b #$c,-(a1) )
       i.e.  $4EAE will be changed to $4EBA  ( jsr Hunkende(PC) ).
       As soon as a counter cell becomes null after LSL.B #2,D1, another
       link part gets decoded again with NEG.L (A7). A file README with
       the length of 1152 bytes will be written. This file contains 32
       times:
                + B.E.O.L. 1995! Don't be angry!!
       Memory recognition:
       VT tries also to change LastAlert ($FFFFFFFF). It is not
       neccessary that this value is right in all cases.
       VT tries to turn it of in the memory (Successful during my tests).
       If you want 100% security try the restet offer. Boot IN ALL CASES
       from a CLEAN antivirus disk!!!!
       A reset and then executing the startup-sequence of the hdd is
       dangerous because it is very likely that programs of the
       startup-sequence are infected!!!!!!!!!
       Note: If there are many directories infected I suggest to work with
       Sp-File-Sp (FileReq.). VT moves only in the specified directory in
       this case.
          - Click on Sp-File-Sp
          - Click on devs
          - Choose a subdirectory
          - Click on DirFTest
          - Let VT take care of the removing
          - Choose another subdirectory when done
       Think about if you don't want to copy several subdirectories to
       RAM after the disinfection. When done, delete e.g. c: completely
       and copy it back from RAM. The fragmentation of the hdd should be
       smaller when done.
       If the message "Sprungbefehl falsch" appears in VT:
       VT believes that it would have found a virus part  at the end of
       the first hunk but doesn't find the branch instruction. Think about
       if you already used another program to process the file and let VT
       try to remove the link part. There were SEVERAL programs in the
       past which just removed the activation part of the virus but NOT
       the virus part itself.
       Note: There should be a program again (Aug 95) which just removes
       the branch instruction but doesn't cut out the virus part. VT
       should say: "Sprungbefehl nicht gefunden".
       But anyway: Try the removing with VT.


-------------------------------------------------------------
 Translated to English by Thomas Steffens  2001 VHT-Denmark
 Org. Test by Heiner Schneegold.
-------------------------------------------------------------

[Go back]