BEOL 4 Link Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 


   ------------------------
   Amiga Virus Encyclopedia
   BEOL 4 Link Virus
   ------------------------
    

   - BEOL-4-Virus   Link

       File extension: 2000 bytes
        
        IMPORTANT !!!!!!
	    If VT shows a messages that it might be the BEOL4 you
	    should reboot from a clean anti virus disk IN ANY CASE!!!!!

     Memory infection:
         NEVER successful on my systems
         68000/30/40/60: always GURU 3, 4 or B
	     It might work on a 68020. (I do not own one)
	     Either it did not link or a Guru occured when it found the
    	 hard drive.
    
         BUT !!!
         An installer was published in the Internet which was in a
	     defect lzx archive. But there is a C source code with it.
	     It is possible to manually execute a link to a file with it.
	     The file becomes 2000 bytes bigger.
	     The file always exists of 2 hunks.
	     The first hunk is the virus.
	     The second is a data hunk with the original file in it with its
	     beginning moved to the end.
	     VT should be able to rercognize and uninfect these files.
        
         BUT !!!!!
         As soon as a hard drive is found: the virus changes parts of the
	     filesystem (in the rigid block !!!!!!!!!) BEFORE the GURU
         occures.
	     LSEG start on my test medium at block 0+2

         Before:
             0600: 4c534547 00000080 150b81f5 00000007 LSEG............
             0610: 00000004 000003f3 00000000 00000001 ................
             0620: 00000000 00000000 00001821 000003e9 ...........!....
             0630: 00001821 72006008 00000000 00000012 ...!r.`.........
             0640: 48e700fe e5892441 2f016160 221f4cdf H.....$A/.a`".L.
             0650: 7f004a81 66024e75 4ed64afc 00000026 .J.f.NuN.J....&
             0660: 00000050 002800af 0000006a 00000056 ...P.(.....j...V
             0670: 00000004 00000000 00000001 00000004 ................
             0680: 00000096 24564552 3a206673 2034302e ....$VER: fs 40.
             
         After:
             0600: 4c534547 00000080 62ef8c4c 00000007 LSEG....b..L....
             0610: 00000004 000003f3 00000000 00000002 ................
             0620: 00000000 00000001 000001e7 00001833 ...............3
             0630: 000003e9 000001e7 487afffe 48e7fffe ........Hz..H...
             0640: 606c2c78 0004206e 01142028 00ac6706 `l,x.. n.. (..g.
             0650: e588723c 600ad0fc 005c4eae fe807218 ..r<`....\N...r.
             0660: d0812a40 614c670e b4956602 2a815880 ..*@aLg...f.*.X.
             0670: 30fc4ef9 20c030fc 4e75246f 003c3e3c 0.N. .0.Nu$o.<><
             0680: 01e626da 51cffffc 26ce2c78 0004226e ..&.Q...&.,x.."n

         The fast filesystem is changed in a way of a faked file link.
	     When done: you will ALWAYS see a GURU.
	     So you do a reset and at once you'll see a GURU requester.
	     Remedy which is tested and helps if you did a RIGID backup
	     with VT before. You also need a disk and a mountlist file and
	     the mount command. ALL my tries with a hard drive in this state
	     and HDToolBox DIDN'T WORK OUT !!!!!
	    
	     - Switch the hard drive off in the boot menu
	     - Click on "Boot with no start sequence" (Important !!!!!)
	     - open 2 !!!!! CLI windows
	     - Enter "mount SDH0:" (or however you called your first volume)
	       in the first window
	     - A GURU requester will show up immediately
	     - Click on suspend
	     - You can't use the first window anymore !!!!!
         - Load VT with the second CLI window
	     - Open z.Zyl/scanrigid
	     - Delete the virus blocks with VT
	     - You can restore your backuped rigid blocks now or
	     - Reboot. Because the filesystem in the RIGID blocks is
	       unusable the machine uses the filesystem which is stored in
	       the ROM. It might be to old for your hard drive structure !!!!
	 
	     or
	    - Because the virus part is not in the rigid blocks anymore you
	      can use HDToolBox again (You wrote down the partitions or you
	      printed it with VT, didn't you ?????
	    - If your computer doesn't have a boot menu (stone aged ROM):
	      I'm sorry. Carry your hard drive to a friends PC and let him
	      do a format.
	    - If there is a second hard drive in your computer.
	    
	      IMMEDIATELY !!!! Plug it out. If you don't it might be infected
	      by the damaged virus part.
	
	 Important !!!!!!!
	      If suspicious boot ALWAYS from a clean disk, to make sure that
	      there is no way that it is linked to the memory. There might be
	      computer models out there on which it can do it. It didn't work
	      on mine.
	 
	 Hint:
	      After this happend I can only strongly suggest you to prepare
	      everything for a boot without hard drive. You also should start
	      z.Zyl on a regulary basis.

       Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                Kickstart all others: VirusZ III with Xvs.library installed


     -------------------------------------------------------------
      Translated to English by Thomas Steffens © 2001 VHT-Denmark
      Org. Test by Heiner Schneegold.
     -------------------------------------------------------------
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk