- BEOL-3-Virus   Link

       File extension: 1620 bytes
       You can read in the file (uncoded):
           b6806660 0cad4245 4f4c02d6 66246100 ..f`..BEOL..f$a.
                 ;........
           45ea0018 202afff4 4e75dfdf dfdf034c E... *..Nu.....L
           4841034c 5a58035a 4950054c 4841222d HA.LZX.ZIP.LHA"-
       Memory installation:
         $B4(Process)
	 It searches for all DLT_VOLUME with DosList. At pointer $B4
	 (pr_PktWait) of the DosList an address will be added which
	 shows its own virus part. Usually this pointer is in all 
	 noninfected processes I looked at null. If VT shows
	 "$B4(Process) > 0" in the future, it didn't found BEOL-3 but
	 another non-wanted part has mostlikely changed the pointer.
	 Be alert!!!
	 The BEOL-3 part captures several Dos packages with this pointer
         (Action_Read, Action_Seek and so on).
	Effects as long as it is active in memory:
         DosOpen and DosExamine get the caught DosPackets in deeper
	 levels and so they get a wrong result. (Term: Stealth-Virus).
	 E.g. you will see the original length of a file insteadt the
	 infected length. Even a hex editor shows the file uninfected
	 because the virus removes its part from the file during the
	 loading process.
	 VT tries to turn off the virus in the memory.
       File changing:
         If a call from lha and so on (look at top) appears, there
	 shouldn't be any changes.
	Else:
	 The file will become 1620 bytes longer.
	 The file always contains 2 hunks.
	 The first hunk is the virus part.
         The 2nd Hunk is a data hunk which contains the original file
	 with the beginning of it (1612 bytes) moved to the end.
	 VT should (if BEOL-3 is NOT active) recognize these files and
	 it should be able to reset them to their original state.
       Hint 1:
         Click then and when on a gadget in VT (e.g. Tools) and then
	 again in the window and on end. Result: VT processes a memory
	 scan and should be able to recognize a NEW activated BEOL-3.
       Hint 2:
         Even older VT versions should be able (with an active BEOL-3 in
	 memory) show error messages like "Fehler in Blockliste" (error
	 in block list) or "BadNextDataBlock" at BEOL-3 infected files
         when processing the BlockKetteTest because the file length said
         by BEOL-3 does not suit with the number of blocks. I tried this
         with several computers and I saw always these error messages.


-------------------------------------------------------------
 Translated to English by Thomas Steffens  2001 VHT-Denmark
 Org. Test by Heiner Schneegold.
-------------------------------------------------------------

[Go back]