------------------------
Amiga Virus Encyclopedia
Bobek 3 Virus
------------------------
-----------------------------------------------------------------------
Entry...............: Bobek3
Alias(es)...........: -
Virus Strain........: Bobek/Harrier
Virus detected when.: -
where.: -
Classification......: Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 2000 Bytes
2. Length in RAM: 8448 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- compares length declared in hunkheader with the
real length (this also avoids infection of some
crunched files)
Self-identification method in memory:
- none
System infection:
- the virus patches internal ExNext call of
reqtools.library (it handles very many versions
of that library!)
- the virus disables xvs.library by overwriting
it's vectors.
Infection preconditions:
- File is between 1000 and 200000 bytes
- Hunk Code is found
- File is not infected already
- device is validated
- filename is without "VI" and "SA"
Infection Trigger...: Scanning directories with reqtools requesters
Storage media affected:
all DOS-devices
Interrupts hooked...: -
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- none
Particularities.....: Very many differences to the BOBEK code. The virus
restores filedates, allocates memory to load files
and so on. Just like any average virus from the
past... ;-)
The virus tunnels doscall and packet watchers.
Tunneling of packet monitoring of SnoopDos is done
by temorary restoring of PutMsg ROM pointer. The
restored ROM calls to dos are formed into library
kind jumptable. That makes analysing of virus code
almost impossible until we examine all the used
dos functions by name (wasn't so difficult to
guess anyways).
The virus uses retro techniques to disable
xvs.library functions: SelfTest, FileCheck and
SurveyMemory. This behaviour works no longer with
new security stuff by Georg...
Similarities........: Very many similarities to HARRIER and BOBEK! viri.
File infection and decoder and almost equal to
BOBEK2, however this virus isn't binary.
Stealth.............: The virus uses direct ROM calls to all dos
functions, therefore doscall watchers are cheated.
This routine stills is incompatible with some
configs. Also packets are invisible for packet
monitor of SnoopDos.
The virus puts the new infected length to FIB
returned by patched ExNext, so the ExNext always
returns the real size of file. The virus checks if
filesize is dividible by 4, so most of datafiles
won't be even opened.
Armouring...........: Virus is armoured with 128 bytes long metamorphic
decryptor. Seems noting important has changed
since BOBEK2 and I think xvs recog is already
ready.
The virus code is heavily anti-Resource armoured
with some popular tricks and one new trick:
installing part is mixed with some illegal
opcodes. Temporarily installed patch on
tc_TrapCode lets the processor treat them like
NOPs. I wonder if this is compatible with better
68k processors...
Comments............: As I wrote in Bastard analyse - brutal patching of
code placed in RAM is painful to repair.
In decrypted virus we can see:
ý.,x..N¶@ê-[ BOB
EK3 by xxxxxxxxx
xxxx ]-.........
( xxxx = Names has been removed by Virus Help Denmark)
The virus like Harrier isn't on the spread. Also I must admit that
author(s) of the BOBEK family finally noticed what are CacheClearU(),
AddPart() and even SetFileDate() used for... ;-)
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 12.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 12.2001
Information Source..: Virus disassembly (infected Enforcer file)
Copyright...........: This documentation is public domain
===================== End of [BOBEK3!] =================================
Note from Zeeball:
I am using word "metamorphic" to pay attention for polymorphic decoders
made of various jumps/calls backward and forward, however with my
current knownledge it isn't as exact as I'd like it to be...
According to my naming meta decoders are used (end of 2001) by:
- BOBEK2
- HitchHiker5.00
- Harrier
- BOBEK3
------------------------------------------------------------------------
Antivirus removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
