------------------------
Amiga Virus Encyclopedia
BEOL 1 Link Virus
------------------------
- B.E.O.L.-LVirus Link-Virus
Reason for name (mentioned later)
Other possible names: Mount-972-Virus, 4EAE-Virus, FFFFFFE9-Virus
Adds 972 bytes to a file.
You can read in the decoded link part:
22006720 4eaeff82 4eaeffa6 6108632f ".g N...N...a.c/
6d6f756e 7400221f 242afff0 4eaeffe2 mount.".$*..N...
No hidden vectors
Not reset proof
It gets a grip in the memory with the help of DOS structures.
VOLUME-MsgPort
It writes $FFFFFFE9 after $202(a6) (LastAlert)
KS2.04: yes (cmpi.b #$25,$15(a6)
It codes the link part again and again every time. It uses the
value $DFF006. VT tries to remove it and it tries to set $4EAEuvwx
to the right value again.
Test with Syquest-44: after 15 min all important directories were
totally infected.
It doesn't work anymore.
It uses branch instructions used only in newer KSs.
It hangs itself behind the hunk.
Execution:
Test for $03F3 (executable)
Test for $FFFFFFE9 (already infected)
Search for $4EAE ( jsr -xy(Lib-Base) )
( xy is variable, but in most cases openlib)
If found, test if distance to end of hunk is smaller than $7FFF.
If not, go ahead with searching.
If yes ( addi.b #$c,-(a1) )
i.e. $4EAE will be changed to $4EBA ( jsr Hunkende(PC) ).
As soon as a counter cell becomes null after LSL.B #2,D1, another
link part gets decoded again with NEG.L (A7). A file README with
the length of 1152 bytes will be written. This file contains 32
times:
©+® B.E.O.L. 1995! Don't be angry!!
Memory recognition:
VT tries also to change LastAlert ($FFFFFFFF). It is not
neccessary that this value is right in all cases.
VT tries to turn it of in the memory (Successful during my tests).
If you want 100% security try the restet offer. Boot IN ALL CASES
from a CLEAN antivirus disk!!!!
A reset and then executing the startup-sequence of the hdd is
dangerous because it is very likely that programs of the
startup-sequence are infected!!!!!!!!!
Note: If there are many directories infected I suggest to work with
Sp-File-Sp (FileReq.). VT moves only in the specified directory in
this case.
- Click on Sp-File-Sp
- Click on devs
- Choose a subdirectory
- Click on DirFTest
- Let VT take care of the removing
- Choose another subdirectory when done
Think about if you don't want to copy several subdirectories to
RAM after the disinfection. When done, delete e.g. c: completely
and copy it back from RAM. The fragmentation of the hdd should be
smaller when done.
If the message "Sprungbefehl falsch" appears in VT:
VT believes that it would have found a virus part at the end of
the first hunk but doesn't find the branch instruction. Think about
if you already used another program to process the file and let VT
try to remove the link part. There were SEVERAL programs in the
past which just removed the activation part of the virus but NOT
the virus part itself.
Note: There should be a program again (Aug 95) which just removes
the branch instruction but doesn't cut out the virus part. VT
should say: "Sprungbefehl nicht gefunden".
But anyway: Try the removing with VT.
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
-------------------------------------------------------------
Translated to English by Thomas Steffens © 2001 VHT-Denmark
Org. Test by Heiner Schneegold.
-------------------------------------------------------------
| ☣ |
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk |
☣ |
| |
