------------------------
Amiga Virus Encyclopedia
Harrier A Link Virus
------------------------
----------------------------------------------------------------------
Entry...............: Harrier .A
Alias(es)...........: -
Virus Strain........: -
Virus detected when.: 27.10.2001
where.: -
Classification......: Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: c.a. 4800 Bytes
Uses highly polmorphic engine!
2. Length in RAM: 15360 Bytes
--------------------- Preconditions ----------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04+
Computer model(s)...: 020+ machines
--------------------- Attributes -------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- via file comment
Self-identification method in memory:
- checks for 'VRU!' at exec/DebugData
System infection:
- adds new VBlank interrupt server
with one of the following names:
- 'input.device'
- 'timer.device'
- 'console.device'
- 'ciaa.resource'
- infects return code of all tasks
(at stack area)
Infection preconditions:
- File is between 20000 and 250000 bytes
- File size is dividible by 4
- Hunk header is found
- Hunk Code/Data is found
- File is not infected already
- device is validated and big enough
- device has 100+ free sectors
- filename does not contain 'VIR'
Infection Trigger...: Exiting of programs.
Storage media affected:
all DOS-devices
Interrupts hooked...: The virus uses it's own VBlank server,
which installs patches on new processes
and to applies retro stuff on xvs.library.
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- none
Particularities.....: Virus uses highly polymorphic engine called
PolyEngine 1.0. We have already seen PolyEngine 1.1
in BOBEK2 linvirus, but due to unknown reasons
PolyEngine 1.0 is far more advanced than the 1.1.
Generated decoders are little bit comparable
to the ones generated by HAVOC engine from
HitchHiker 5.00, but these are not so complicated.
Anyway, detection is possible only in algorythmic
way.
Uses brand new memory infection technique:
the virus patches exit code of processes.
Do not confuse with pr_ExitCode - the virus patches
return pointer at stack area.
The patch doesn't intercept any vital information,
but hunts for file to infect just according
to the dir locks available in process structure.
Hunting is done just with ExNext() loop, but only
one executable is infected at once and the next
such action can be performed at least 20 seconds
later even more processes terminates at the same
time. In that particular way Harrier is the
first Amiga virus with slow-infection and partial
antibait.
The virus tunnels even packet debugger of SnoopDos.
However infector is based just on recalculated
dos library calls.
Similarities........: Some parts are equal to the pieces of code
we have seen on VRU! home site or in Neurotic viri.
Note that even the decoders might be comparable
to the ones of HitchHiker 5.00 the whole code
is different...
Stealth.............: The virus uses quite complex tunneling engine.
The ROM recalculator is already known and has some
real problems with BlizKick for instance.
I have performed some tries to utilize such ROM
recalculating in my AV software and I must admit
it lead to crash on some configs without several
additional tests the virus lacks.
Due to using of ROM calls SnoopDos or any similar
doscall watcher got's confused. What is more
important the virus temporarily restores PutMsg(),
so that even packet monitor of SnoopDos is blind
for it's actions.
Chooses files to infect by itself and disables
some AV software. The retro techniques would give
certain amount of stealth two months ago when the
virus is said to be created. Now it just causes
a lot of scream of most recent AV software.
List of retro actions:
- wellknown overwriting patch on xvs library
functions: SurveyMem(), CheckFile() and SelfTest().
It's no longer valid as new xvs from Georg is
very resistant for this technique and newest
AV software (WatchDog from me and VE from Jan Erik)
can detect if xvs library lies.
- disables VirusZ II and Virus III including
support process
- disables VirusCheckerII process
- disables VirusExecutor process
Any disabled processes are marked with 'VRU!'
in pr_ExitData field.
Armouring...........: Uses highly polymorphic decoders which recognition
is possible only in algorythmic way.
Use of complex library calling system (tunneling)
would cause some complications during analyse of
disassembly, so can be seen as additional armour.
Comments............: This virus had been sent as source code directly
to Georg Hoermann just after he has released
xvs 33.36 with new security.
Therefore this virus lost relevance just before
we got it.
In the decoded virus
we can read:
VirusZ_II.VirusZ
_III.Virus_Check
erII(©).ramlib.e
xec.library.dos.
library.xvs.libr
ary......".1time
r.device.input.d
evice.console.de
vice.ciaa.resour
ce. .[ Harrier .
A 1.02 virus, (c
) by xxxxxxxxxxx
xxx ].Markus! Co
me back!Hç..,z.Ê
(xxxxxxx = Programmers name, removed by Virus Help Denmark)
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 28.10.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 28.10.2001
Information Source..: virus source code (thanks Georg)
Copyright...........: This documentation is public domain
================== End of Harrier .A ==================================
| ☣ |
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk |
☣ |
| |
