-----BEGIN PGP SIGNED MESSAGE-----
NOTE
For news please check out the HISTORY section!
PURPOSE
As probably some of you know, a crazy guy postet the source of a
really dangerous stealth-virus (Beol3) to the usenet. I decided to
debug this piece in order to protect myself from it, as the danger of
clones with destructive routines seemed to be pretty high. When
testing it, I had to make sure not to infect myself, and to clean the
memory from the virus when I finished. So AntiBeol was born, in order
to clean the memory from all viruses working like this one.
I got in contact with Markus Schmall (Virus Workshop) so I could maybe
help him a bit, and he encouraged me to improve AntiBeol, as other
peoples might find such a tool handy. He sent me some more viri, so
it`s now able to detect and clear the most important one.
The difference to probably the most viruskillers is that this one
doesn`t only notify you when it encounters a known virus, but also if
it detects some abnormal changes, so it can (hopefully) detect new
viri.
All in all, it doesn`t replace a good background checker like VirusZ
is, but it gives you additionally help on this comming-up packetviri.
USAGE
It`s pretty easy to use. Just put it somewhere in your User-Startup
with a run, e.g.:
Run <>NIL: C:AntiBeol
You won`t notice anything on normal work, but if it detects something,
a reqtools requester will pop up and inform you about it. The
following viri are detected untill now: Beol 3, Beol 2, Beol 96, and
SMEG.
But you can get another ones, which are: Dospacket virus and
Volumelauncher virus. NOTE: These ones mean that AntiBeol found a
program that used some techniques NORMALY only viri (like the above
mentioned) use. It DOESN`T need to be a virus, but it can be.
Programs like ArcHandler or DiskExpaner can cause such things, in this
case just press "Leave It" and it won`t be touched. So IF you start a
program you 100% KNOW about it`s virus-free (and it crashes), please
mail me, and try using the NOSTRICT option.
TECHNICAL
This paragraph is for advanced users only, so don`t get mad because
you don`t understand a word :)
So how does this thingie work? Basically quite easy: Every five
seconds, it checks some vectors of the system (pr_WaitPkt of all
Volumes, Processes, and TC_LAUNCH of every task), as they`re used by
the above mentioned viruses. If such a virus is detected, or some
other program is found there (these vectors are normaly not used by
any program I could find) they`ll get cleared, the suspicious piece of
code get`s disabled and you`ll get notified. For the curious ones:
AntiBeol also changes it`s name randomly every 5 seks, so don`t get a
heart attack if you see a process like "CLI(15):r7a9wOeci". This will
prevent the FindTask("SnoopDos")-trick.
So what do these "future-viri" requesters mean? Dospacket means that
someone hooked up in pr_WaitPkt, either in the Processes or in the
Volumes, and Volumelauncher means someone hooked up in the TC_LAUNCH
field of the Volumes` tasks. As additionaly help you get the address
of the suspicious vector. This is a pointer to the dos structure,
e.g. pr_WaitPkt.
LAST WORDS
I really do have to thank Markus Schmall for his help and providing of
viri! Without him I wouldn`t even have thought about releasing this
program!
I also have to thank Jan Andersen from the VIRUS HELP TEAM DENMARK for
his support. You can find the newest AntiBeol on
http://home4.inet.tele.dk/vht-dk/ !
HISTORY
v1.0 (24-Sep-96)
- initial release
v1.1 (17-Oct-96)
- Now works on 68000 machines (thx to Danny Lade)
- Recognizes DiskExpander (thx to Martin Imlau)
- Finally works with ArcHandler under every condition
- Improved the warning requester, shows memory and you can decide
wether to kill or not to kill the suspicious code.
v1.2 (27-Nov-96)
- Recognizes FSDirs (thx to Dave Jones)
- Removed enforcerhits, which caused an
A3000 to stall every 5 secs (thx to Nils Goers)
v1.21 (10-Mar-97)
- Recognizes VincEd (thx to Nils Goers)
- Added new email address!
v1.3 (25-Mar-97)
- Recognizes VMM (thx to Dave Jones)
- The warning requester will now pop up only one time
instead of every 5 secs.
v1.32 (6-Sep-97)
- Recognizes VincEd 3.52 (thx to Nils Goers)
- Doesn`t disturb serial transfers anymore (thx to Gary Gagnon)
- BUGFIX: Recognizes again Beol3 and Beol96. Sorry for this!
v1.33a (13-Sep-97) Only released at the VIRUS HELP TEAM DENMARK!
- Recognizes HitchHicker 4.32
- Added "DisableHH423", a tiny tool which desinfects files
Sorry, virus only gets disabled, not removed.
v1.33 (21-Sep-97)
- Included "RemoveHH423" which really cleanes an infected file
(also files disabled with "DisableHH423").
- Removed "DisableHH423" from distribution.
DISCLAIMER
This software is subject to the "Standard Amiga FD-Software Copyright
Note" It is Freeware as defined in paragraph 4a. For more information
please read "AFD-COPYRIGHT" (Version 1 or higher).
AUTHOR
If you have some comments, please don`t hesitate to contact me!
Gideon Zenz
Giersbergstr. 41
53229 Bonn
GERMANY
EMail: gzenz@ixc.net
-Gideon Zenz, 21-Sep-97
SECURITY
If you want to be shure you have the original programs, check with
"md5sum -c AntiBeol.readme". (md5sum is part of the PGP package), and
of cause check the integrity of this readme with PGP!
72e92394aa7a8e22a41754ca42f90175 *AntiBeol
0c64233fe99ff65bd729bbadedfe39c5 *RemoveHH423
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQCNAi3izr8AAAEEAMi+7o+iKDG26t8EuoX0NJ92iwhkviRC3GdJ1Uvef4+xJA3V
ey20ZnzBg/OokPdo0a3VxhwyjD2auyFmp7DLupQTko7Wx2zLk19EzVBxI6NggUev
ep+eaVvAi8V/YosYh0Xg4/dScOq391irO6k9+BPqkQPH+bRNCUBgnhXGkfElAAUR
tBtHaWRlb24gWmVueiA8Z3plbnpAaXhjLm5ldD6JARUDBRAz36dHCen5CopyTkUB
AUrFB/9cdPzCbD0H6z3CDBRA2rhFQblNvC3R/Cjl5+EQhafJZ5egiMncEbH/rgR2
xmAqj789+ClC2cxtvRJpEeldB/BTqh0Ta/2i752xaH/AZP8Z6LFiLufW8EFRKmTz
QZEV2uQ9iIEUAZaxP6482Sqymvp4WmqFWWuDnS+G6PjPwIl1gSvFhVaZSZfmbZGs
YDePjL4yEHJymKW19hNkyG4u7TRpvWVHLuuqYUS+gjvXKfJkEr1epfVbUkgPqbyZ
vQ5eJ097oL6m7dZwhgLmdwZ2EUNWH45pHXNTyOSFhkWkt9wMCQ4dzDSgmvD0T9Tw
WhExUoTDX6r1tYdvGrg52y5PtLTEiQCVAwUQMySwfUBgnhXGkfElAQGJcgP/b6Hf
GYzF1TBvXbmubxzkvPJtnX4PNQP3PF97vjwqBpkUuYv1esxSgbvuN8wbYwsOoNW1
cDDIxM/sAXBrMHxX5cFf+au46hovwAQT9Uj9t47bQRVSqHKPGVjUUEP5jVfEQy6j
842QJ5hANHQjvmZAR0dwaPJ35nqJ+h414KY7hq20Ok5PVEU6IDxnemVuekBFcm5p
ZS5NSS5VbmktS29lbG4uREU+IGlzIG5vdCB2YWxpZCBhbnkgbW9yZSGJAJUDBRAz
JLCqQGCeFcaR8SUBAZ8pA/9yXKDclBIxx/BiKdxNSDBgaNC5hyHyCC2iZK0/F2zP
uvuqkhCIQCdzMFLsJLFslamhjVDFZVKRtpSA3vblWivpM5n6yt4kxi+bMkK3LW2q
r4CBWw3SriShT1BgGhuLbV4YcVNB/PIeAOJ4Z82tLxLQzuwKsYOxPkGSS/maSxOB
+LQpR2lkZW9uIFplbnogPGd6ZW56QEVybmllLk1JLlVuaS1Lb2Vsbi5ERT6JAJUC
BRAysg5ltvkN3Lttr4EBAVI4BACG972YynotdH9MLDVoZZydI6NMEYF//vf/bTn/
QDN9DcW9VfTHNhbcsBbs4VOrvqX9Dww2d/91u3+HYaA3crz00mN5uVjkCE9FMH3v
QNykrKmBMnajDpqY0E9dJAyYu4C8NaYCzypEeA6oGzrllTTa++9h2VoGCTVrcCBg
4fa9MYkBFQMFEDH2trkAYAKC86RPCQEBgTUH/A8KTc/9NKi/mbzkPGUyywI3krp/
HqGDAQVN89QFynq5PtTSuKy5Q4DAmJwQ4gna9GJQytme1YbaXKjNNxMi2b33Rhd9
aj5HKVHx6bRguJ7LpgAotz6FuI6Ny76V1ccwQQnbxroy+EKOR2uOnOh/Gr4NbVz1
QTVqksYyp/T5rwI1esgJlTKxow6Y9BAutyC4M3n9Snc6sViGQwZsH9Xxts9c9meI
7LRjleWjSFcl7LuZVyf6LFFuzo9jQQTt+Ak69wCeN4Qq5oTzLJQa9KzgQaxj70oP
9LyTPBkdYPWHa+JYPCxgyBojY8igq7PmSRiMnJKhWkQx+uRQbnpuDHPgvgSJAJUD
BRAx0dc3QGCeFcaR8SUBAciDA/4qaRFv5KZGlIbAeGphlR33+aBjMZDf1MlC1QcI
k2yPY9tTMIisz06IckZw7Oq+RVBmJOvOZtJJJuVCuufyHKSg3+HRj6YE4lQ7/ojC
U7yPcrdfny4oLKEpehRB/F89Mzan7cjyLI9qH07I2wq7a9wCwP4BDpa0lxMAQd9U
k+UN6g==
=bdm/
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
iQCVAwUBNCXIU0BgnhXGkfElAQFEeAP+Kj6l/nR3Eunq/lnKtAOqgCkjZE4Qf5B6
sLeyO9+JRFC0UA+BC9miQI9suTqRv5emAacrSRyBPHS884T4/Z2USOfyDEi0JT2N
eSdCNBr8U4qVuBPHZLzXZB4vQHrrnTEWtRqHtgXkF8JTy3mmr3cwRTqi2YNvPyee
dmZcZtZeJMU=
=ctUo
-----END PGP SIGNATURE-----
|