------------------------
Amiga Virus Encyclopedia
BEOL 2 Link Virus
------------------------
- B.E.O.L.-2-LVirus Link-Virus
Reason for name (mentioned later)
also look under BEOL
Adds 1140 bytes to a file.
You can read in the decoded link part:
4eeeff76 00296865 6c6c6f2c 2069276d N..v.)hello, i'm
20422e45 2e4f2e4c 2e20616e 64206920 B.E.O.L. and i
6c6f7665 20796f75 210a3a52 4541444d love you!.:READM
4500646f 732e6c69 62726172 79000000 E.dos.library...
ffffffe9 0000 ......
No hidden vectors
Not reset proof
It gets a grip in the memory with the help of DOS structures.
VOLUME-MsgPort
It writes $FFFFFFE9 after $202(a6) (LastAlert)
KS2.04: yes (cmpi.b #$25,$15(a6)
It codes the link part again and again every time. It uses the
value $DFF007. VT tries to remove it and it tries to set $4EAEuvwx
to the right value again. Test with Syquest-44: after 15 min all
important directories were totally infected.
It doesn't work anymore.
It uses branch instructions used only in newer KSs.
It hangs itself behind the hunk.
Execution:
Test for $03F3 (executable)
Test for $FFFFFFE9 (already infected)
Search for $4EAE ( jsr -xy(Lib-Base) )
( xy is variable, but in most cases openlib)
If found, test if distance to end of hunk is smaller than $7FFF.
If not, go ahead with searching.
If yes ( addi.b #$c,-(a1) )
i.e. $4EAE will be changed to $4EBA ( jsr Hunkende(PC) ).
As soon as a counter cell becomes null after AND.B #$7F,D0, another
link part gets decoded again with NOT.B (A0)+. A file README with
the length of 1800 bytes should be written.
This file contains the text "hello ..." 32 times. Look at top of
this file.
Memory recognition:
VT tries also to change LastAlert ($FFFFFFFF). It is not neccessary
that this value is right in all cases.
VT tries to turn it of in the memory (Successful during my tests).
If you want 100% security try the restet offer. Boot IN ALL CASES
from a CLEAN antivirus disk!!!!
A reset and then executing the startup-sequence of the hdd is
dangerous because it is very likely that programs of the
startup-sequence are infected!!!!!!!!!
Note: If there are many directories infected I suggest to work with
Sp-File-Sp (FileReq.). VT moves only in the specified directory in
this case.
- Click on Sp-File-Sp
- Click on devs
- Choose a subdirectory
- Click on DirFTest
- Let VT take care of the removing
- Choose another subdirectory when done
Think about if you don't want to copy several subdirectories to RAM
after the disinfection. When done, delete e.g. c: completely and
copy it back from RAM. The fragmentation of the hdd should be
smaller when done.
If the message "Sprungbefehl falsch" appears in VT:
VT believes that it would have found a virus part at the end of
the first hunk but doesn't find the branch instruction. Think about
if you already used another program to process the file and let VT
try to remove the link part. There were SEVERAL programs in the
past which just removed the activation part of the virus but NOT
the virus part itself.
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
-------------------------------------------------------------
Translated to English by Thomas Steffens © 2001 VHT-Denmark
Org. Test by Heiner Schneegold.
-------------------------------------------------------------
| ☣ |
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk |
☣ |
| |
