BEOL 3 Link Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



   ------------------------
   Amiga Virus Encyclopedia
   BEOL 3 Link Virus
   ------------------------
    

   - BEOL-3-Virus   Link

       File extension: 1620 bytes
       You can read in the file (uncoded):
           b6806660 0cad4245 4f4c02d6 66246100 ..f`..BEOL..f$a.
                 ;........
           45ea0018 202afff4 4e75dfdf dfdf034c E... *..Nu.....L
           4841034c 5a58035a 4950054c 4841222d HA.LZX.ZIP.LHA"-
    
    Memory installation:
         $B4(Process)
	     It searches for all DLT_VOLUME with DosList. At pointer $B4
	     (pr_PktWait) of the DosList an address will be added which
	     shows its own virus part. Usually this pointer is in all 
	     noninfected processes I looked at null. If VT shows
	     "$B4(Process) > 0" in the future, it didn't found BEOL-3 but
	     another non-wanted part has mostlikely changed the pointer.
	     Be alert!!!
	     The BEOL-3 part captures several Dos packages with this pointer
         (Action_Read, Action_Seek and so on).
	
	Effects as long as it is active in memory:
         DosOpen and DosExamine get the caught DosPackets in deeper
	     levels and so they get a wrong result. (Term: Stealth-Virus).
	     E.g. you will see the original length of a file insteadt the
	     infected length. Even a hex editor shows the file uninfected
    	 because the virus removes its part from the file during the
	     loading process.
	     VT tries to turn off the virus in the memory.
    
    File changing:
         If a call from lha and so on (look at top) appears, there
	     shouldn't be any changes.

	Else:
    	 The file will become 1620 bytes longer.
    	 The file always contains 2 hunks.
    	 The first hunk is the virus part.
         The 2nd Hunk is a data hunk which contains the original file
	     with the beginning of it (1612 bytes) moved to the end.
	     VT should (if BEOL-3 is NOT active) recognize these files and
	     it should be able to reset them to their original state.

       Hint 1:
         Click then and when on a gadget in VT (e.g. Tools) and then
    	 again in the window and on end. Result: VT processes a memory
	     scan and should be able to recognize a NEW activated BEOL-3.

       Hint 2:
         Even older VT versions should be able (with an active BEOL-3 in
	     memory) show error messages like "Fehler in Blockliste" (error
	     in block list) or "BadNextDataBlock" at BEOL-3 infected files
         when processing the BlockKetteTest because the file length said
         by BEOL-3 does not suit with the number of blocks. I tried this
         with several computers and I saw always these error messages.

       Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                Kickstart all others: VirusZ III with Xvs.library installed


     -------------------------------------------------------------
     Translated to English by Thomas Steffens © 2001 VHT-Denmark
     Org. Test by Heiner Schneegold.
     -------------------------------------------------------------


    


Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk