Entry...............: Bobek3
Alias(es)...........: -
Virus Strain........: Bobek/Harrier
Virus detected when.: -
              where.: -
Classification......: Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         2000 Bytes
                      2. Length in RAM:                    8448 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:
                      - compares length declared in hunkheader with the
                        real length (this also avoids infection of some
                        crunched files)

                      Self-identification method in memory:
                      - none

                      System infection:
                      - the virus patches internal ExNext call of
                        reqtools.library (it handles very many versions
                        of that library!)

                      - the virus disables xvs.library by overwriting
                        it's vectors.

                      Infection preconditions:

                      - File is between 1000 and 200000 bytes
                      - Hunk Code is found
                      - File is not infected already
                      - device is validated
                      - filename is without "VI" and "SA"

Infection Trigger...: Scanning directories with reqtools requesters

Storage media affected:
                      all DOS-devices

Interrupts hooked...: -

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: Very many differences to the BOBEK code. The virus
                      restores filedates, allocates memory to load files
                      and so on. Just like any average virus from the
                      past... ;-)

                      The virus tunnels doscall and packet watchers.
                      Tunneling of packet monitoring of SnoopDos is done
                      by temorary restoring of PutMsg ROM pointer. The
                      restored ROM calls to dos are formed into library
                      kind jumptable. That makes analysing of virus code
                      almost impossible until we examine all the used
                      dos functions by name (wasn't so difficult to
                      guess anyways).

                      The virus uses retro techniques to disable
                      xvs.library functions: SelfTest, FileCheck and
                      SurveyMemory. This behaviour works no longer with
                      new security stuff by Georg...

Similarities........: Very many similarities to HARRIER and BOBEK! viri.
                      File infection and decoder and almost equal to
                      BOBEK2, however this virus isn't binary.

Stealth.............: The virus uses direct ROM calls to all dos
                      functions, therefore doscall watchers are cheated.
                      This routine stills is incompatible with some
                      configs. Also packets are invisible for packet
                      monitor of SnoopDos.

                      The virus puts the new infected length to FIB
                      returned by patched ExNext, so the ExNext always
                      returns the real size of file. The virus checks if
                      filesize is dividible by 4, so most of datafiles
                      won't be even opened.

Armouring...........: Virus is armoured with 128 bytes long metamorphic
                      decryptor. Seems noting important has changed
                      since BOBEK2 and I think xvs recog is already
                      ready.

                      The virus code is heavily anti-Resource armoured
                      with some popular tricks and one new trick:
                      installing part is mixed with some illegal
                      opcodes. Temporarily installed patch on
                      tc_TrapCode lets the processor treat them like
                      NOPs. I wonder if this is compatible with better
                      68k processors...

Comments............: As I wrote in Bastard analyse - brutal patching of
                      code placed in RAM is painful to repair.

In decrypted virus we can see:

 .,x..N@-[ BOB
 EK3 by xxxxxxxxx
 xxxx ]-.........

( xxxx = Names has been removed by Virus Help Denmark)

The virus like Harrier isn't on the spread. Also I must admit that
author(s) of the BOBEK family finally noticed what are CacheClearU(),
AddPart() and even SetFileDate() used for... ;-)

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  12.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 12.2001
Information Source..: Virus disassembly (infected Enforcer file)
Copyright...........: This documentation is public domain

===================== End of [BOBEK3!] =================================


Note from Zeeball:
I am using word "metamorphic" to pay attention for polymorphic decoders
made of various jumps/calls backward and forward, however with my
current knownledge it isn't as exact as I'd like it to be...
According to my naming meta decoders are used (end of 2001) by:

- BOBEK2
- HitchHiker5.00
- Harrier
- BOBEK3


[Go back]