Entry...............: Hitch Hiker 3.00 Alias(es)...........: none Virus Strain........: - Virus detected when.: 13.07.1996 where.: Germany, USA, ISRAEL Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 3020 Bytes (uses a polymorphic technic) 2. Length in RAM: 8000 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - none Self-identification method in memory: - searches for $FAB4FAB4 at LastAlert(Exec) System infection: - infects the following functions: Dos LoadSeg(), Dos Write() (librarychecksum will be recalculated and it will be tried to cheat some viruskillers) Infection preconditions: - HUNK_HEADER and HUNK_CODE are found - device is validated - 10 free blocks on the device - hunk_code must contain the same length as in the header. - File must be between $1f40 and $20000 bytes (not working) Infection Trigger...: Accessing files via LoadSeg() or Write() It`s a typical infector. It cannot be rated as fast infector as it only infects at the above mentioned operations. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - Due to a adressacess behind the viruscode it`s possible that trashed code results out of an infection. Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are polymorphic and consists of some logical stuff. The virus uses some special things at the fileinfection (buggy) and at the library offsetcode. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus and the first HitchHiker viruses. Stealth.............: no stealth function found. the only things to mention is the library negoffset value. Armouring...........: The virus is heavily armoured with a $100 byte long polymorphic decryptor. Not only the registers are changing, even the operations will be mixed. This polymorphic routine can be seen right now as one of the best available routine for the AMIGA. The routine mixes a lot of codes and uses a normal polymorphic scheme. No slow polymorphism code was found. The decrypt header is static $100 bytes long and initialises a circular decryption. The decryption code uses anti heuristik stuff and only a full implented code emulation would be able to crack this one. The polymorphism is working in the normal scheme (with $dff006 and $dff007 usage) and uses not the modern technics like slow polymorphism. ("White paper" analyse of this engine can be obtained from me or from the Virus Test Center in Hamburg. We need special information about you before we give such information away.) Comments............: Maybe interesting for the reader is that the programmer of the virus wrote some more text in it than in the last ones: 'The Hitch-Hiker Generation: 00000308 - Version 3.00' 'Last in series. "Dedicated to Heiner Markus ZIB and Georg" It would be interesting to know, who this ZIB is. --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.86 and VW 6.2ß above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 17.07.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: July, 17. 1996 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of Hitch-Hiker 3.00 ========================= [Go back]