home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
EnigmA Amiga Run 1997 April
/
EnigmA AMIGA RUN 17 (1997)(G.R. Edizioni)(IT)[!][issue 1997-04][EAR-CD].iso
/
EARCD
/
util
/
virus
/
AntiBeol_12.readme
< prev
next >
Wrap
Text File
|
1996-12-07
|
7KB
|
160 lines
Short: Mem viruskiller for the new Packetviruses
Author: gzenz@ernie.mi.uni-koeln.de (Gideon Zenz)
Uploader: gzenz@ernie.mi.uni-koeln.de (Gideon Zenz)
Type: util/virus
-----BEGIN PGP SIGNED MESSAGE-----
PURPOSE
As probably some of you know, a crazy guy postet the source of a
really dangerous stealth-virus (Beol3) to the usenet. I decided to
debug this piece in order to protect myself from it, as the danger of
clones with destructive routines seemed to be pretty high. When
testing it, I had to make sure not to infect myself, and to clean the
memory from the virus when I finished. So AntiBeol was born, in order
to clean the memory from all viruses working like this one.
I got in contact with Markus Schmall (Virus Workshop) so I could maybe
help him a bit, and he encouraged me to improve AntiBeol, as other
peoples might find such a tool handy. He sent me some more viri, so
it`s now able to detect and clear the most important one.
The difference to probably the most viruskillers is that this one
doesn`t only notify you when it encounters a known virus, but also if
it detects some abnormal changes, so it can (hopefully) detect new
viri.
All in all, it doesn`t replace a good background checker like VirusZ
is, but it gives you additionally help on this comming-up packetviri.
USAGE
It`s pretty easy to use. Just put it somewhere in your User-Startup
with a run, e.g.:
Run <>NIL: C:AntiBeol
You won`t notice anything on normal work, but if it detects something,
a reqtools requester will pop up and inform you about it. The
following viri are detected untill now: Beol 3, Beol 2, Beol 96, and
SMEG.
But you can get another ones, which are: Dospacket virus and
Volumelauncher virus. NOTE: These ones mean that AntiBeol found a
program that used some techniques NORMALY only viri (like the above
mentioned) use. It DOESN`T need to be a virus, but it can be.
Programs like ArcHandler or DiskExpaner can cause such things, in this
case just press "Leave It" and it won`t be touched. So IF you start a
program you 100% KNOW about it`s virus-free (and it crashes), please
mail me, and try using the NOSTRICT option.
TECHNICAL
This paragraph is for advanced users only, so don`t get mad because
you don`t understand a word :)
So how does this thingie work? Basically quite easy: Every five
seconds, it checks some vectors of the system (pr_WaitPkt of all
Volumes, Processes, and TC_LAUNCH of every task), as they`re used by
the above mentioned viruses. If such a virus is detected, or some
other program is found there (these vectors are normaly not used by
any program I could find) they`ll get cleared, the suspicious piece of
code get`s disabled and you`ll get notified. For the curious ones:
AntiBeol also changes it`s name randomly every 5 seks, so don`t get a
heart attack if you see a process like "CLI(15):r7a9wOeci". This will
prevent the FindTask("SnoopDos")-trick.
So what do these "future-viri" requesters mean? Dospacket means that
someone hooked up in pr_WaitPkt, either in the Processes or in the
Volumes, and Volumelauncher means someone hooked up in the TC_LAUNCH
field of the Volumes` tasks. As additionaly help you get the address
of the suspicious vector. This is a pointer to the dos structure,
e.g. pr_WaitPkt.
LAST WORDS
I really do have to thank Markus Schmall for his help and providing of
viri! Without him I wouldn`t even have thought about releasing this
program!
HISTORY
v1.0 (24-Sep-96)
- initial release
v1.1 (17-Oct-96)
- Now works on 68000 machines (thx to Danny Lade)
- Recognizes DiskExpander (thx to Martin Imlau)
- Finally works with ArcHandler under every condition
- Improved the Warning requester, shows memory and you can decide
wether to kill or not to kill the suspicious code.
v1.2 (27-Nov-96)
- Recognizes FSDirs (thx to Dave Jones)
- Removed enforcerhits, which caused an
A3000 to stall every 5 secs (thx to Nils Goers)
DISCLAIMER
This software is subject to the "Standard Amiga FD-Software Copyright
Note" It is Freeware as defined in paragraph 4a. For more information
please read "AFD-COPYRIGHT" (Version 1 or higher).
AUTHOR
If you have some comments, please don`t hesitate to contactme!
Gideon Zenz
Giersbergstr. 41
53229 Bonn
GERMANY
EMail: gzenz@ernie.mi.uni-koeln.de
-Gideon Zenz, 17-Oct-96
SECURITY
If you want to be shure you have the original programs, check with
"md5sum -c AntiBeol.readme". (md5sum is part of the PGP package), and
of cause check the integrity of this readme with PGP!
41f31af0209218c99b605606fbcbb1cf *AntiBeol
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQCNAi3izr8AAAEEAMi+7o+iKDG26t8EuoX0NJ92iwhkviRC3GdJ1Uvef4+xJA3V
ey20ZnzBg/OokPdo0a3VxhwyjD2auyFmp7DLupQTko7Wx2zLk19EzVBxI6NggUev
ep+eaVvAi8V/YosYh0Xg4/dScOq391irO6k9+BPqkQPH+bRNCUBgnhXGkfElAAUR
tClHaWRlb24gWmVueiA8Z3plbnpARXJuaWUuTUkuVW5pLUtvZWxuLkRFPokBFQMF
EDH2trkAYAKC86RPCQEBgTUH/A8KTc/9NKi/mbzkPGUyywI3krp/HqGDAQVN89QF
ynq5PtTSuKy5Q4DAmJwQ4gna9GJQytme1YbaXKjNNxMi2b33Rhd9aj5HKVHx6bRg
uJ7LpgAotz6FuI6Ny76V1ccwQQnbxroy+EKOR2uOnOh/Gr4NbVz1QTVqksYyp/T5
rwI1esgJlTKxow6Y9BAutyC4M3n9Snc6sViGQwZsH9Xxts9c9meI7LRjleWjSFcl
7LuZVyf6LFFuzo9jQQTt+Ak69wCeN4Qq5oTzLJQa9KzgQaxj70oP9LyTPBkdYPWH
a+JYPCxgyBojY8igq7PmSRiMnJKhWkQx+uRQbnpuDHPgvgSJAJUDBRAx0dc3QGCe
FcaR8SUBAciDA/4qaRFv5KZGlIbAeGphlR33+aBjMZDf1MlC1QcIk2yPY9tTMIis
z06IckZw7Oq+RVBmJOvOZtJJJuVCuufyHKSg3+HRj6YE4lQ7/ojCU7yPcrdfny4o
LKEpehRB/F89Mzan7cjyLI9qH07I2wq7a9wCwP4BDpa0lxMAQd9Uk+UN6g==
=qm/Q
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
iQCVAwUBMpx3rUBgnhXGkfElAQF6hQP7BqtR4uIuZ280THc6deCByHAlOeBCgm6d
jDR6H4q2muj4PsUlUwepnbyx//xrvWZUWQHZCdN3DlJX7OXyBhThmDUN6//fdW+d
jOiMGHgtnfhxvw1Zqq9VK2SCbIopYIY4FgemJQcIkqLQ0I9fYyG8yJNP2pmkqnjl
ZYZEFcU2kRc=
=ujCD
-----END PGP SIGNATURE-----
============================= Archive contents =============================
Original Packed Ratio Date Time Name
-------- ------- ----- --------- -------- -------------
1640 1260 23.1% 27-Nov-96 11:15:38 AntiBeol
6558 3497 46.6% 27-Nov-96 11:18:06 AntiBeol_12.readme
-------- ------- ----- --------- --------
8198 4757 41.9% 28-Nov-96 13:26:34 2 files