Short: Mem viruskiller for the new Packetviruses Author: gzenz@ixc.net (Gideon Zenz) Architecture: m68k-amigaos -----BEGIN PGP SIGNED MESSAGE----- NOTE For news please check out the HISTORY section! PURPOSE As probably some of you know, a crazy guy postet the source of a really dangerous stealth-virus (Beol3) to the usenet. I decided to debug this piece in order to protect myself from it, as the danger of clones with destructive routines seemed to be pretty high. When testing it, I had to make sure not to infect myself, and to clean the memory from the virus when I finished. So AntiBeol was born, in order to clean the memory from all viruses working like this one. I got in contact with Markus Schmall (Virus Workshop) so I could maybe help him a bit, and he encouraged me to improve AntiBeol, as other peoples might find such a tool handy. He sent me some more viri, so it`s now able to detect and clear the most important one. The difference to probably the most viruskillers is that this one doesn`t only notify you when it encounters a known virus, but also if it detects some abnormal changes, so it can (hopefully) detect new viri. All in all, it doesn`t replace a good background checker like VirusZ is, but it gives you additionally help on this comming-up packetviri. USAGE It`s pretty easy to use. Just put it somewhere in your User-Startup with a run, e.g.: Run <>NIL: C:AntiBeol You won`t notice anything on normal work, but if it detects something, a reqtools requester will pop up and inform you about it. The following viri are detected untill now: Beol 3, Beol 2, Beol 96, and SMEG. But you can get another ones, which are: Dospacket virus and Volumelauncher virus. NOTE: These ones mean that AntiBeol found a program that used some techniques NORMALY only viri (like the above mentioned) use. It DOESN`T need to be a virus, but it can be. Programs like ArcHandler or DiskExpaner can cause such things, in this case just press "Leave It" and it won`t be touched. So IF you start a program you 100% KNOW about it`s virus-free (and it crashes), please mail me, and try using the NOSTRICT option. TECHNICAL This paragraph is for advanced users only, so don`t get mad because you don`t understand a word :) So how does this thingie work? Basically quite easy: Every five seconds, it checks some vectors of the system (pr_WaitPkt of all Volumes, Processes, and TC_LAUNCH of every task), as they`re used by the above mentioned viruses. If such a virus is detected, or some other program is found there (these vectors are normaly not used by any program I could find) they`ll get cleared, the suspicious piece of code get`s disabled and you`ll get notified. For the curious ones: AntiBeol also changes it`s name randomly every 5 seks, so don`t get a heart attack if you see a process like "CLI(15):r7a9wOeci". This will prevent the FindTask("SnoopDos")-trick. So what do these "future-viri" requesters mean? Dospacket means that someone hooked up in pr_WaitPkt, either in the Processes or in the Volumes, and Volumelauncher means someone hooked up in the TC_LAUNCH field of the Volumes` tasks. As additionaly help you get the address of the suspicious vector. This is a pointer to the dos structure, e.g. pr_WaitPkt. LAST WORDS I really do have to thank Markus Schmall for his help and providing of viri! Without him I wouldn`t even have thought about releasing this program! I also have to thank Jan Andersen from the VIRUS HELP TEAM DENMARK for his support. You can find the newest AntiBeol on http://home4.inet.tele.dk/vht-dk/ ! HISTORY v1.0 (24-Sep-96) - initial release v1.1 (17-Oct-96) - Now works on 68000 machines (thx to Danny Lade) - Recognizes DiskExpander (thx to Martin Imlau) - Finally works with ArcHandler under every condition - Improved the warning requester, shows memory and you can decide wether to kill or not to kill the suspicious code. v1.2 (27-Nov-96) - Recognizes FSDirs (thx to Dave Jones) - Removed enforcerhits, which caused an A3000 to stall every 5 secs (thx to Nils Goers) v1.21 (10-Mar-97) - Recognizes VincEd (thx to Nils Goers) - Added new email address! v1.3 (25-Mar-97) - Recognizes VMM (thx to Dave Jones) - The warning requester will now pop up only one time instead of every 5 secs. v1.32 (6-Sep-97) - Recognizes VincEd 3.52 (thx to Nils Goers) - Doesn`t disturb serial transfers anymore (thx to Gary Gagnon) - BUGFIX: Recognizes again Beol3 and Beol96. Sorry for this! v1.33a (13-Sep-97) Only released at the VIRUS HELP TEAM DENMARK! - Recognizes HitchHicker 4.32 - Added "DisableHH423", a tiny tool which desinfects files Sorry, virus only gets disabled, not removed. v1.33 (21-Sep-97) - Included "RemoveHH423" which really cleanes an infected file (also files disabled with "DisableHH423"). - Removed "DisableHH423" from distribution. DISCLAIMER This software is subject to the "Standard Amiga FD-Software Copyright Note" It is Freeware as defined in paragraph 4a. For more information please read "AFD-COPYRIGHT" (Version 1 or higher). AUTHOR If you have some comments, please don`t hesitate to contact me! Gideon Zenz Giersbergstr. 41 53229 Bonn GERMANY EMail: gzenz@ixc.net -Gideon Zenz, 21-Sep-97 SECURITY If you want to be shure you have the original programs, check with "md5sum -c AntiBeol.readme". (md5sum is part of the PGP package), and of cause check the integrity of this readme with PGP! 72e92394aa7a8e22a41754ca42f90175 *AntiBeol 0c64233fe99ff65bd729bbadedfe39c5 *RemoveHH423 - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAi3izr8AAAEEAMi+7o+iKDG26t8EuoX0NJ92iwhkviRC3GdJ1Uvef4+xJA3V ey20ZnzBg/OokPdo0a3VxhwyjD2auyFmp7DLupQTko7Wx2zLk19EzVBxI6NggUev ep+eaVvAi8V/YosYh0Xg4/dScOq391irO6k9+BPqkQPH+bRNCUBgnhXGkfElAAUR tBtHaWRlb24gWmVueiA8Z3plbnpAaXhjLm5ldD6JARUDBRAz36dHCen5CopyTkUB AUrFB/9cdPzCbD0H6z3CDBRA2rhFQblNvC3R/Cjl5+EQhafJZ5egiMncEbH/rgR2 xmAqj789+ClC2cxtvRJpEeldB/BTqh0Ta/2i752xaH/AZP8Z6LFiLufW8EFRKmTz QZEV2uQ9iIEUAZaxP6482Sqymvp4WmqFWWuDnS+G6PjPwIl1gSvFhVaZSZfmbZGs YDePjL4yEHJymKW19hNkyG4u7TRpvWVHLuuqYUS+gjvXKfJkEr1epfVbUkgPqbyZ vQ5eJ097oL6m7dZwhgLmdwZ2EUNWH45pHXNTyOSFhkWkt9wMCQ4dzDSgmvD0T9Tw WhExUoTDX6r1tYdvGrg52y5PtLTEiQCVAwUQMySwfUBgnhXGkfElAQGJcgP/b6Hf GYzF1TBvXbmubxzkvPJtnX4PNQP3PF97vjwqBpkUuYv1esxSgbvuN8wbYwsOoNW1 cDDIxM/sAXBrMHxX5cFf+au46hovwAQT9Uj9t47bQRVSqHKPGVjUUEP5jVfEQy6j 842QJ5hANHQjvmZAR0dwaPJ35nqJ+h414KY7hq20Ok5PVEU6IDxnemVuekBFcm5p ZS5NSS5VbmktS29lbG4uREU+IGlzIG5vdCB2YWxpZCBhbnkgbW9yZSGJAJUDBRAz JLCqQGCeFcaR8SUBAZ8pA/9yXKDclBIxx/BiKdxNSDBgaNC5hyHyCC2iZK0/F2zP uvuqkhCIQCdzMFLsJLFslamhjVDFZVKRtpSA3vblWivpM5n6yt4kxi+bMkK3LW2q r4CBWw3SriShT1BgGhuLbV4YcVNB/PIeAOJ4Z82tLxLQzuwKsYOxPkGSS/maSxOB +LQpR2lkZW9uIFplbnogPGd6ZW56QEVybmllLk1JLlVuaS1Lb2Vsbi5ERT6JAJUC BRAysg5ltvkN3Lttr4EBAVI4BACG972YynotdH9MLDVoZZydI6NMEYF//vf/bTn/ QDN9DcW9VfTHNhbcsBbs4VOrvqX9Dww2d/91u3+HYaA3crz00mN5uVjkCE9FMH3v QNykrKmBMnajDpqY0E9dJAyYu4C8NaYCzypEeA6oGzrllTTa++9h2VoGCTVrcCBg 4fa9MYkBFQMFEDH2trkAYAKC86RPCQEBgTUH/A8KTc/9NKi/mbzkPGUyywI3krp/ HqGDAQVN89QFynq5PtTSuKy5Q4DAmJwQ4gna9GJQytme1YbaXKjNNxMi2b33Rhd9 aj5HKVHx6bRguJ7LpgAotz6FuI6Ny76V1ccwQQnbxroy+EKOR2uOnOh/Gr4NbVz1 QTVqksYyp/T5rwI1esgJlTKxow6Y9BAutyC4M3n9Snc6sViGQwZsH9Xxts9c9meI 7LRjleWjSFcl7LuZVyf6LFFuzo9jQQTt+Ak69wCeN4Qq5oTzLJQa9KzgQaxj70oP 9LyTPBkdYPWHa+JYPCxgyBojY8igq7PmSRiMnJKhWkQx+uRQbnpuDHPgvgSJAJUD BRAx0dc3QGCeFcaR8SUBAciDA/4qaRFv5KZGlIbAeGphlR33+aBjMZDf1MlC1QcI k2yPY9tTMIisz06IckZw7Oq+RVBmJOvOZtJJJuVCuufyHKSg3+HRj6YE4lQ7/ojC U7yPcrdfny4oLKEpehRB/F89Mzan7cjyLI9qH07I2wq7a9wCwP4BDpa0lxMAQd9U k+UN6g== =bdm/ - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 iQCVAwUBNCXIU0BgnhXGkfElAQFEeAP+Kj6l/nR3Eunq/lnKtAOqgCkjZE4Qf5B6 sLeyO9+JRFC0UA+BC9miQI9suTqRv5emAacrSRyBPHS884T4/Z2USOfyDEi0JT2N eSdCNBr8U4qVuBPHZLzXZB4vQHrrnTEWtRqHtgXkF8JTy3mmr3cwRTqi2YNvPyee dmZcZtZeJMU= =ctUo -----END PGP SIGNATURE-----