------------------------
Amiga Virus Encyclopedia
BEOL 96 Link Virus
------------------------
-----------------------------------------------------------------------
Entry...............: Beol`96
Alias(es)...........: Beol-4, Beol-Poly
Virus Strain........: -
Virus detected when.: August 1996
where.: Germany, USA, ISRAEL, UK and Netherlands
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: ca. 2000 Bytes
(uses a highly polymorphic engine)
2. Length in RAM: 3000 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: -
Type of infection...: Self-identification method in files:
- uses a bug in BSTR routine from filecomment() for
the stealth routine
Self-identification method in memory:
- none
System infection:
- WaitPKT entry of the DOS processes. This pointer
will be normally not used and is set to zero.
The idea behind this pointer is a replacement
for the standart WaitPkt routine from the OS. In
other words: The programmer of this virus made
a compatible code to WaitPkt().
Infection preconditions:
- HUNK_HEADER is found
- device is validated
Infection Trigger...: The infection is based on the packet handling
system of AMIGA OS. Every started file will be
infected. All synchron dos commands are affected.
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- none
Transient damage:
- crypts first word in the first original hunk.
So we have to decrypt the whole virus to get the
original longword for the decryption code.
Damage Trigger......: Permanent damage:
- none
Transient damage:
- infecting a file
Particularities.....: The crypt/decrypt routines are aware of processor
caches. The cryptroutine are highly polymorphic (level4)
and consists of some logical stuff. The packet handling
works in even on the new developer OS versions and
uses the extended packet commands from AMIGA OS.
The virus is incompatible to the new versions of EXEC,
as it uses some commands only legal in V37-V41 versions
of the task handling.
The virus tunnels doscall watcher like SnoopDos etc. by
using only lowlevel packet routines.
Similarities........: The link method is the normal "hunk 1 add" method
invented by IRQ Team V41. The way of infecting the
system is comparable to the first both BEOL linkviruses.
Stealth.............: FIRST working directory stealth code in a virus. It
uses a trick with the filecomment to mark the files,
which has to be shown as uninfected.
- The way of storing the original values is at the
moment UNKNOWN -
The stealth engine is a so called Directory stealth
system. It catches the list calls and give the system
the uninfected length of the files back. If such a
file will be loaded into an editor, the infected
file is in the buffer. The most modern PC viruses are
one step ahead and give even the editor the original
file (N8ghtFall = Wedding).
Armouring...........: The virus is heavily armoured with a random layered
polymorphic decryptor. The decryptor activates all x
layer decryptors in a row and uses always different
logical stuff. The virus uses antidebugging and anti-
heuristik stuff to irritate the analyser. The most
operations will be done using the stack. The headers
have always a different length, the only solid state
command is a "movem.l d0-d7/a0-a6,-(sp) = $48e7fffe"
at the beginning of the hunk. Internally the virus
uses the StackBase trick (bsr xx, Jumptable,xx: pop a0)
to irritate the analysers.
Some parts of the code will be manipulated online (data
reuse) and the polymorphic engine will be created in
a stack area. This function refuses to work properly in
a testsuite.
The crypt routine can be seen as "state of the art"
on AMIGA systems at the moment. The level 4 polymorphic
header makes it nearly impossible to recognize this
virus by a normal recognition. It`s not possible to
use any RAID technology (see HitchHiker3) to decode
the mainblock of the virus.
We are now doing a heuristik recognition using some
characteristics of the virus and then start the whole
emulation process to recognize the virus by name.
Comments............: Maybe the first virus, which makes it necessary to do
a complete CPU emulation. The first working CPU emul.
was used to decrypt the Cryptic Essence linkvirus by
VirusWorkshop. Other good viruskillers like VT and VZ
used the original decrunchcode in their repaircodes.
VIRUSWORKSHOP RECOGNIZES THE BEOL96 LINKVIRUS ONLY ON
SYSTEMS WITH A 68020 OR HIGHER PROCESSOR.
--------------------- Agents -------------------------------------------
Countermeasures.....: VZ 1.34, VT 2.89 and VW 6.3
above Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 18.09.1996.
Classification by...: Georg Hoermann and Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Sep, 18. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
in any SHI publication
===================== End of Beol`96 Virus =========================
Antivirus removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
