Entry...............: Bobek3 Alias(es)...........: - Virus Strain........: Bobek/Harrier Virus detected when.: - where.: - Classification......: Linkvirus, memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 2000 Bytes 2. Length in RAM: 8448 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+) Computer model(s)...: all models --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - compares length declared in hunkheader with the real length (this also avoids infection of some crunched files) Self-identification method in memory: - none System infection: - the virus patches internal ExNext call of reqtools.library (it handles very many versions of that library!) - the virus disables xvs.library by overwriting it's vectors. Infection preconditions: - File is between 1000 and 200000 bytes - Hunk Code is found - File is not infected already - device is validated - filename is without "VI" and "SA" Infection Trigger...: Scanning directories with reqtools requesters Storage media affected: all DOS-devices Interrupts hooked...: - Damage..............: Permanent damage: - none Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - none Particularities.....: Very many differences to the BOBEK code. The virus restores filedates, allocates memory to load files and so on. Just like any average virus from the past... ;-) The virus tunnels doscall and packet watchers. Tunneling of packet monitoring of SnoopDos is done by temorary restoring of PutMsg ROM pointer. The restored ROM calls to dos are formed into library kind jumptable. That makes analysing of virus code almost impossible until we examine all the used dos functions by name (wasn't so difficult to guess anyways). The virus uses retro techniques to disable xvs.library functions: SelfTest, FileCheck and SurveyMemory. This behaviour works no longer with new security stuff by Georg... Similarities........: Very many similarities to HARRIER and BOBEK! viri. File infection and decoder and almost equal to BOBEK2, however this virus isn't binary. Stealth.............: The virus uses direct ROM calls to all dos functions, therefore doscall watchers are cheated. This routine stills is incompatible with some configs. Also packets are invisible for packet monitor of SnoopDos. The virus puts the new infected length to FIB returned by patched ExNext, so the ExNext always returns the real size of file. The virus checks if filesize is dividible by 4, so most of datafiles won't be even opened. Armouring...........: Virus is armoured with 128 bytes long metamorphic decryptor. Seems noting important has changed since BOBEK2 and I think xvs recog is already ready. The virus code is heavily anti-Resource armoured with some popular tricks and one new trick: installing part is mixed with some illegal opcodes. Temporarily installed patch on tc_TrapCode lets the processor treat them like NOPs. I wonder if this is compatible with better 68k processors... Comments............: As I wrote in Bastard analyse - brutal patching of code placed in RAM is painful to repair. In decrypted virus we can see: ý.,x..N¶@ê-[ BOB EK3 by xxxxxxxxx xxxx ]-......... ( xxxx = Names has been removed by Virus Help Denmark) The virus like Harrier isn't on the spread. Also I must admit that author(s) of the BOBEK family finally noticed what are CacheClearU(), AddPart() and even SetFileDate() used for... ;-) --------------------- Acknowledgement ---------------------------------- Location............: Pawlowice, Poland 12.2001 Classification by...: Zbigniew Trzcionkowski Documentation by....: Zbigniew Trzcionkowski Date................: 12.2001 Information Source..: Virus disassembly (infected Enforcer file) Copyright...........: This documentation is public domain ===================== End of [BOBEK3!] ================================= Note from Zeeball: I am using word "metamorphic" to pay attention for polymorphic decoders made of various jumps/calls backward and forward, however with my current knownledge it isn't as exact as I'd like it to be... According to my naming meta decoders are used (end of 2001) by: - BOBEK2 - HitchHiker5.00 - Harrier - BOBEK3 [Go back]