- B.E.O.L.-2-LVirus   Link-Virus

       Reason for name (mentioned later)
       also look under BEOL
       Adds 1140 bytes to a file.
       You can read in the decoded link part:
           4eeeff76 00296865 6c6c6f2c 2069276d N..v.)hello, i'm
           20422e45 2e4f2e4c 2e20616e 64206920  B.E.O.L. and i
           6c6f7665 20796f75 210a3a52 4541444d love you!.:READM
           4500646f 732e6c69 62726172 79000000 E.dos.library...
           ffffffe9 0000                       ......
       No hidden vectors
       Not reset proof
       It gets a grip in the memory with the help of DOS structures.
       VOLUME-MsgPort
       It writes $FFFFFFE9 after $202(a6)  (LastAlert)
       KS2.04: yes    (cmpi.b #$25,$15(a6)
       It codes the link part again and again every time. It uses the
       value $DFF007. VT tries to remove it and it tries to set $4EAEuvwx
       to the right value again. Test with Syquest-44: after 15 min all
       important directories were totally infected.
       It doesn't work anymore.
       It uses branch instructions used only in newer KSs.
       It hangs itself behind the hunk.
       Execution:
       Test for $03F3      (executable)
       Test for $FFFFFFE9  (already infected)
       Search for $4EAE    ( jsr -xy(Lib-Base) )
                           ( xy is variable, but in most cases openlib)
       If found, test if distance to end of hunk is smaller than $7FFF.
       If not, go ahead with searching.
       If yes ( addi.b #$c,-(a1) )
       i.e.  $4EAE will be changed to $4EBA  ( jsr Hunkende(PC) ).
       As soon as a counter cell becomes null after AND.B #$7F,D0, another
       link part gets decoded again with NOT.B (A0)+. A file README with
       the length of 1800 bytes should be written.
       This file contains the text "hello ..." 32 times. Look at top of
       this file.
       Memory recognition:
       VT tries also to change LastAlert ($FFFFFFFF). It is not neccessary
       that this value is right in all cases.
       VT tries to turn it of in the memory (Successful during my tests).
       If you want 100% security try the restet offer. Boot IN ALL CASES
       from a CLEAN antivirus disk!!!!
       A reset and then executing the startup-sequence of the hdd is
       dangerous because it is very likely that programs of the
       startup-sequence are infected!!!!!!!!!
       Note: If there are many directories infected I suggest to work with
       Sp-File-Sp (FileReq.). VT moves only in the specified directory in
       this case.
          - Click on Sp-File-Sp
          - Click on devs
          - Choose a subdirectory
          - Click on DirFTest
          - Let VT take care of the removing
          - Choose another subdirectory when done

       Think about if you don't want to copy several subdirectories to RAM
       after the disinfection. When done, delete e.g. c: completely and
       copy it back from RAM. The fragmentation of the hdd should be
       smaller when done. 
       If the message "Sprungbefehl falsch" appears in VT:
       VT believes that it would have found a virus part  at the end of
       the first hunk but doesn't find the branch instruction. Think about
       if you already used another program to process the file and let VT
       try to remove the link part. There were SEVERAL programs in the
       past which just removed the activation part of the virus but NOT
       the virus part itself.


-------------------------------------------------------------
 Translated to English by Thomas Steffens  2001 VHT-Denmark
 Org. Test by Heiner Schneegold.
-------------------------------------------------------------

[Go back]