Entry...............: Harrier .A
Alias(es)...........: -
Virus Strain........: -
Virus detected when.: 27.10.2001
              where.: -
Classification......: Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     c.a. 4800 Bytes
                      Uses highly polmorphic engine!
                      2. Length in RAM:                    15360 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04+
Computer model(s)...: 020+ machines

--------------------- Attributes ---------------------------------------

Easy Identification.:  none

Type of infection...: Self-identification method in files:

                      - via file comment

                      Self-identification method in memory:
                      - checks for 'VRU!' at exec/DebugData

                      System infection:

                      -  adds new VBlank interrupt server
                         with one of the following names:
                          - 'input.device'
                          - 'timer.device'
                          - 'console.device'
                          - 'ciaa.resource'

                      -  infects return code of all tasks
                         (at stack area)

                      Infection preconditions:

                      - File is between 20000 and 250000 bytes
                      - File size is dividible by 4
                      - Hunk header is found
                      - Hunk Code/Data is found
                      - File is not infected already
                      - device is validated and big enough
                      - device has 100+ free sectors
                      - filename does not contain 'VIR'

Infection Trigger...: Exiting of programs.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: The virus uses it's own VBlank server,
                      which installs patches on new processes
                      and to applies retro stuff on xvs.library.

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: Virus uses highly polymorphic engine called
                      PolyEngine 1.0. We have already seen PolyEngine 1.1
                      in BOBEK2 linvirus, but due to unknown reasons
                      PolyEngine 1.0 is far more advanced than the 1.1.
                      Generated decoders are little bit comparable
                      to the ones generated by HAVOC engine from
                      HitchHiker 5.00, but these are not so complicated.
                      Anyway, detection is possible only in algorythmic
                      way.

                      Uses brand new memory infection technique:
                      the virus patches exit code of processes.
                      Do not confuse with pr_ExitCode - the virus patches
                      return pointer at stack area.
                      The patch doesn't intercept any vital information,
                      but hunts for file to infect just according
                      to the dir locks available in process structure.
                      Hunting is done just with ExNext() loop, but only
                      one executable is infected at once and the next
                      such action can be performed at least 20 seconds
                      later even more processes terminates at the same
                      time. In that particular way Harrier is the
                      first Amiga virus with slow-infection and partial
                      antibait.

                      The virus tunnels even packet debugger of SnoopDos.
                      However infector is based just on recalculated
                      dos library calls.

Similarities........: Some parts are equal to the pieces of code
                      we have seen on VRU! home site or in Neurotic viri.
                      Note that even the decoders might be comparable
                      to the ones of HitchHiker 5.00 the whole code
                      is different...

Stealth.............: The virus uses quite complex tunneling engine.
                      The ROM recalculator is already known and has some
                      real problems with BlizKick for instance.
                      I have performed some tries to utilize such ROM
                      recalculating in my AV software and I must admit
                      it lead to crash on some configs without several
                      additional tests the virus lacks.
                      Due to using of ROM calls SnoopDos or any similar
                      doscall watcher got's confused. What is more
                      important the virus temporarily restores PutMsg(),
                      so that even packet monitor of SnoopDos is blind
                      for it's actions.

                      Chooses files to infect by itself and disables
                      some AV software. The retro techniques would give
                      certain amount of stealth two months ago when the
                      virus is said to be created. Now it just causes
                      a lot of scream of most recent AV software.

                      List of retro actions:
                      - wellknown overwriting patch on xvs library
                        functions: SurveyMem(), CheckFile() and SelfTest().
                        It's no longer valid as new xvs from Georg is
                        very resistant for this technique and newest
                        AV software (WatchDog from me and VE from Jan Erik)
                        can detect if xvs library lies.
                      - disables VirusZ II and Virus III including
                        support process
                      - disables VirusCheckerII process
                      - disables VirusExecutor process

                      Any disabled processes are marked with 'VRU!'
                      in pr_ExitData field.

Armouring...........: Uses highly polymorphic decoders which recognition
                      is possible only in algorythmic way.
                      Use of complex library calling system (tunneling)
                      would cause some complications during analyse of
                      disassembly, so can be seen as additional armour.

Comments............: This virus had been sent as source code directly
                      to Georg Hoermann just after he has released
                      xvs 33.36 with new security.
                      Therefore this virus lost relevance just before
                      we got it.

In the decoded virus
we can read:

 VirusZ_II.VirusZ
 _III.Virus_Check
 erII(©).ramlib.e
 xec.library.dos.
 library.xvs.libr
 ary......".1time
 r.device.input.d
 evice.console.de
 vice.ciaa.resour
 ce. .[ Harrier .
 A 1.02 virus, (c
 ) by xxxxxxxxxxx
 xxx ].Markus! Co
 me back!HÁ..,z. 


 (xxxxxxx = Programmers name, removed by Virus Help Denmark)

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  28.10.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 28.10.2001
Information Source..: virus source code (thanks Georg)
Copyright...........: This documentation is public domain

================== End of Harrier .A  ==================================

[Go back]