Short: Mem viruskiller for the new Packetviruses Author: gzenz@ernie.mi.uni-koeln.de (Gideon Zenz) Uploader: gzenz@ernie.mi.uni-koeln.de (Gideon Zenz) Type: util/virus -----BEGIN PGP SIGNED MESSAGE----- PURPOSE As probably some of you know, a crazy guy postet the source of a really dangerous stealth-virus (Beol3) to the usenet. I decided to debug this piece in order to protect myself from it, as the danger of clones with destructive routines seemed to be pretty high. When testing it, I had to make sure not to infect myself, and to clean the memory from the virus when I finished. So AntiBeol was born, in order to clean the memory from all viruses working like this one. I got in contact with Markus Schmall (Virus Workshop) so I could maybe help him a bit, and he encouraged me to improve AntiBeol, as other peoples might find such a tool handy. He sent me some more viri, so it`s now able to detect and clear the most important one. The difference to probably the most viruskillers is that this one doesn`t only notify you when it encounters a known virus, but also if it detects some abnormal changes, so it can (hopefully) detect new viri. All in all, it doesn`t replace a good background checker like VirusZ is, but it gives you additionally help on this comming-up packetviri. USAGE It`s pretty easy to use. Just put it somewhere in your User-Startup with a run, e.g.: Run <>NIL: C:AntiBeol You won`t notice anything on normal work, but if it detects something, a reqtools requester will pop up and inform you about it. The following viri are detected untill now: Beol 3, Beol 2, Beol 96, and SMEG. But you can get another ones, which are: Dospacket virus and Volumelauncher virus. NOTE: These ones mean that AntiBeol found a program that used some techniques NORMALY only viri (like the above mentioned) use. It DOESN`T need to be a virus, but it can be. Programs like ArcHandler or DiskExpaner can cause such things, in this case just press "Leave It" and it won`t be touched. So IF you start a program you 100% KNOW about it`s virus-free (and it crashes), please mail me, and try using the NOSTRICT option. TECHNICAL This paragraph is for advanced users only, so don`t get mad because you don`t understand a word :) So how does this thingie work? Basically quite easy: Every five seconds, it checks some vectors of the system (pr_WaitPkt of all Volumes, Processes, and TC_LAUNCH of every task), as they`re used by the above mentioned viruses. If such a virus is detected, or some other program is found there (these vectors are normaly not used by any program I could find) they`ll get cleared, the suspicious piece of code get`s disabled and you`ll get notified. For the curious ones: AntiBeol also changes it`s name randomly every 5 seks, so don`t get a heart attack if you see a process like "CLI(15):r7a9wOeci". This will prevent the FindTask("SnoopDos")-trick. So what do these "future-viri" requesters mean? Dospacket means that someone hooked up in pr_WaitPkt, either in the Processes or in the Volumes, and Volumelauncher means someone hooked up in the TC_LAUNCH field of the Volumes` tasks. As additionaly help you get the address of the suspicious vector. This is a pointer to the dos structure, e.g. pr_WaitPkt. LAST WORDS I really do have to thank Markus Schmall for his help and providing of viri! Without him I wouldn`t even have thought about releasing this program! HISTORY v1.0 (24-Sep-96) - initial release v1.1 (17-Oct-96) - Now works on 68000 machines (thx to Danny Lade) - Recognizes DiskExpander (thx to Martin Imlau) - Finally works with ArcHandler under every condition - Improved the Warning requester, shows memory and you can decide wether to kill or not to kill the suspicious code. DISCLAIMER This software is subject to the "Standard Amiga FD-Software Copyright Note" It is Freeware as defined in paragraph 4a. For more information please read "AFD-COPYRIGHT" (Version 1 or higher). AUTHOR If you have some comments, please don`t hesitate to contactme! Gideon Zenz Giersbergstr. 41 53229 Bonn GERMANY EMail: gzenz@ernie.mi.uni-koeln.de -Gideon Zenz, 17-Oct-96 SECURITY If you want to be shure you have the original programs, check with "md5sum -c AntiBeol.readme". (md5sum is part of the PGP package), and of cause check the integrity of this readme with PGP! f988ea4a7a5b12bba6d12211b7ddb9af *AntiBeol - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAi3izr8AAAEEAMi+7o+iKDG26t8EuoX0NJ92iwhkviRC3GdJ1Uvef4+xJA3V ey20ZnzBg/OokPdo0a3VxhwyjD2auyFmp7DLupQTko7Wx2zLk19EzVBxI6NggUev ep+eaVvAi8V/YosYh0Xg4/dScOq391irO6k9+BPqkQPH+bRNCUBgnhXGkfElAAUR tClHaWRlb24gWmVueiA8Z3plbnpARXJuaWUuTUkuVW5pLUtvZWxuLkRFPokBFQMF EDH2trkAYAKC86RPCQEBgTUH/A8KTc/9NKi/mbzkPGUyywI3krp/HqGDAQVN89QF ynq5PtTSuKy5Q4DAmJwQ4gna9GJQytme1YbaXKjNNxMi2b33Rhd9aj5HKVHx6bRg uJ7LpgAotz6FuI6Ny76V1ccwQQnbxroy+EKOR2uOnOh/Gr4NbVz1QTVqksYyp/T5 rwI1esgJlTKxow6Y9BAutyC4M3n9Snc6sViGQwZsH9Xxts9c9meI7LRjleWjSFcl 7LuZVyf6LFFuzo9jQQTt+Ak69wCeN4Qq5oTzLJQa9KzgQaxj70oP9LyTPBkdYPWH a+JYPCxgyBojY8igq7PmSRiMnJKhWkQx+uRQbnpuDHPgvgSJAJUDBRAx0dc3QGCe FcaR8SUBAciDA/4qaRFv5KZGlIbAeGphlR33+aBjMZDf1MlC1QcIk2yPY9tTMIis z06IckZw7Oq+RVBmJOvOZtJJJuVCuufyHKSg3+HRj6YE4lQ7/ojCU7yPcrdfny4o LKEpehRB/F89Mzan7cjyLI9qH07I2wq7a9wCwP4BDpa0lxMAQd9Uk+UN6g== =qm/Q - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 iQCVAwUBMmZryUBgnhXGkfElAQHMEQP+N56UvXcEOByJNrhr3xfmLAPfR0nLjFEg 6rjzM1VhNYL1mhn8L1ibCPAu1al68z6eaWbR3rZw4VrWs6pSMK7zv+7oNssXA+Xv e3S8iWFl6kDSHT+5j644a36m9ReOIcDxo+0u9SRi6T/kR8zZ2N7pgfrXIOr3H1sI Z2+P3bgEv2M= =qtdV -----END PGP SIGNATURE-----