-----BEGIN PGP SIGNED MESSAGE-----
For news please check out the HISTORY section!
As probably some of you know, a crazy guy postet the source of a
really dangerous stealth-virus (Beol3) to the usenet. I decided to
debug this piece in order to protect myself from it, as the danger of
clones with destructive routines seemed to be pretty high. When
testing it, I had to make sure not to infect myself, and to clean the
memory from the virus when I finished. So AntiBeol was born, in order
to clean the memory from all viruses working like this one.
I got in contact with Markus Schmall (Virus Workshop) so I could maybe
help him a bit, and he encouraged me to improve AntiBeol, as other
peoples might find such a tool handy. He sent me some more viri, so
it`s now able to detect and clear the most important one.
The difference to probably the most viruskillers is that this one
doesn`t only notify you when it encounters a known virus, but also if
it detects some abnormal changes, so it can (hopefully) detect new
All in all, it doesn`t replace a good background checker like VirusZ
is, but it gives you additionally help on this comming-up packetviri.
It`s pretty easy to use. Just put it somewhere in your User-Startup
with a run, e.g.:
Run <>NIL: C:AntiBeol
You won`t notice anything on normal work, but if it detects something,
a reqtools requester will pop up and inform you about it. The
following viri are detected untill now: Beol 3, Beol 2, Beol 96, and
But you can get another ones, which are: Dospacket virus and
Volumelauncher virus. NOTE: These ones mean that AntiBeol found a
program that used some techniques NORMALY only viri (like the above
mentioned) use. It DOESN`T need to be a virus, but it can be.
Programs like ArcHandler or DiskExpaner can cause such things, in this
case just press "Leave It" and it won`t be touched. So IF you start a
program you 100% KNOW about it`s virus-free (and it crashes), please
mail me, and try using the NOSTRICT option.
This paragraph is for advanced users only, so don`t get mad because
you don`t understand a word :)
So how does this thingie work? Basically quite easy: Every five
seconds, it checks some vectors of the system (pr_WaitPkt of all
Volumes, Processes, and TC_LAUNCH of every task), as they`re used by
the above mentioned viruses. If such a virus is detected, or some
other program is found there (these vectors are normaly not used by
any program I could find) they`ll get cleared, the suspicious piece of
code get`s disabled and you`ll get notified. For the curious ones:
AntiBeol also changes it`s name randomly every 5 seks, so don`t get a
heart attack if you see a process like "CLI(15):r7a9wOeci". This will
prevent the FindTask("SnoopDos")-trick.
So what do these "future-viri" requesters mean? Dospacket means that
someone hooked up in pr_WaitPkt, either in the Processes or in the
Volumes, and Volumelauncher means someone hooked up in the TC_LAUNCH
field of the Volumes` tasks. As additionaly help you get the address
of the suspicious vector. This is a pointer to the dos structure,
I really do have to thank Markus Schmall for his help and providing of
viri! Without him I wouldn`t even have thought about releasing this
I also have to thank Jan Andersen from the VIRUS HELP TEAM DENMARK for
his support. You can find the newest AntiBeol on
- initial release
- Now works on 68000 machines (thx to Danny Lade)
- Recognizes DiskExpander (thx to Martin Imlau)
- Finally works with ArcHandler under every condition
- Improved the warning requester, shows memory and you can decide
wether to kill or not to kill the suspicious code.
- Recognizes FSDirs (thx to Dave Jones)
- Removed enforcerhits, which caused an
A3000 to stall every 5 secs (thx to Nils Goers)
- Recognizes VincEd (thx to Nils Goers)
- Added new email address!
- Recognizes VMM (thx to Dave Jones)
- The warning requester will now pop up only one time
instead of every 5 secs.
- Recognizes VincEd 3.52 (thx to Nils Goers)
- Doesn`t disturb serial transfers anymore (thx to Gary Gagnon)
- BUGFIX: Recognizes again Beol3 and Beol96. Sorry for this!
v1.33a (13-Sep-97) Only released at the VIRUS HELP TEAM DENMARK!
- Recognizes HitchHicker 4.32
- Added "DisableHH423", a tiny tool which desinfects files
Sorry, virus only gets disabled, not removed.
- Included "RemoveHH423" which really cleanes an infected file
(also files disabled with "DisableHH423").
- Removed "DisableHH423" from distribution.
This software is subject to the "Standard Amiga FD-Software Copyright
Note" It is Freeware as defined in paragraph 4a. For more information
please read "AFD-COPYRIGHT" (Version 1 or higher).
If you have some comments, please don`t hesitate to contact me!
-Gideon Zenz, 21-Sep-97
If you want to be shure you have the original programs, check with
"md5sum -c AntiBeol.readme". (md5sum is part of the PGP package), and
of cause check the integrity of this readme with PGP!
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----