Entry...............: HitchHiker 5.00
Alias(es)...........: -
Virus Strain........: Smeg2
Virus detected when.: August 2001
              where.: Aminet
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:
                                                      c.a. 3720 Bytes
                      Has most advanced metamorphic decoders seen
                      for Amiga and uses slow polymorphism!
                      2. Length in RAM:                    8588 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: -

Type of infection...: Self-identification method in files:

                      - via unused bits visible in dos flags

                      Self-identification method in memory:

                      - checks for 'HH5' process

                      System infection:

                      -  A new process entitled 'HH5' will be created
                         and this is the only visible change in the system.
                         That process infects files using the known
                         Smeg code, but the way of getting targets
                         is new.
                      -  The virus patches return address from Wait()
                         call of device's tasks.
                         This is very clever idea which lets
                         the virus patch devices which's code
                         is placed even in ROM.
                         The LOCATE_OBJECT and EXAMINE_NEXT packets
                         will be stolen.

                      Infection preconditions:

                       - HUNK_CODE is found
                       - device is validated
                       - at least 6 free blocks
                       - filename does not start with "vir" and "saf"
                         (case independant check)
                       - file is bigger than 4190 bytes
                       - file is smaller than 100377 bytes

Infection Trigger...: The infection is based on the packet handling
                      of AMIGA OS. Every started or listed file can be
                      infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none

Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: Uses slow polymorphism!
                      After reboot the freshly executed virus
                      makes ONLY ONE NEW highly metamorphic decoder
                      which will be used for all infections till next
                      reboot.

                      The stack patches are done very clever and the
                      code is flexible enough to handle differences
                      between OS versions (including newer than 3.1).
                      Most of code is equal to first SMEG virus.
                      If the accessed file starts with the string "VIR"
                      or "SAF" (case independant), the file will
                      be not infected.

Similarities........: It could be seen as third kind of SMEG2, but the
                      polyengine made it one of the most advanced viruses
                      for Amiga.

Stealth.............: None. The virus does not put infected file
                      length like BOBEK viruses to ExNext's FIB,
                      so it is likely that under controll of virus
                      user may cut files. Salvage will be never
                      possible as it was with some HH4.11 files
                      that appeared several times in truncated form
                      due to... virus stealth engine that returned
                      noninfected size of infected file.

Armouring...........: Uses so called HAVOC polyengine. This is the
                      best such engine in Amiga virus at the moment.
                      The decoders are placed after the decoder block,
                      and the loop could contain very much logical stuff.
                      The decoders are made metamorphically and are built
                      of various jumps backward and forward.
                      Such decoders can be detected only in alghorythmic
                      way. Detection of this virus is impossible with
                      technics like breaking the cryptings (lot of stuff)
                      and tracing (entry point!).
                      The decoder is generated on virus startup,
                      so after reboot files are infected always
                      with new decoders.
                      The polyengine is very compact and uses
                      own "decoder language".

Comments............: The uncrypted virus contains text: HAVOC

AGAIN I WAS RIGHT:

There is only one HitchHiker 5.00 and my removal code
is ONE for all infections caused by any of the three known
installers.

The installers seem to be made with unknown
variant of $4eb9 linker (anyway, VT-Schutz knows it!)
then crunched with Imploder and mixed with additional fake
$VER string which causes XFD to ignore these files as uncrunched.
The linked viruspart is about 8600 bytes long and contains
only uncrypted HitchHiker 5.00 virus.

Visible texts:

..#D..#h....Nu-=
HAVOC=-. <...a.

and:

library..Hitch-H
iker Millenium (
5.00).Featuring
the Hitcher's Ad
vanced Versatile
 Optimizing Code
mix Engine.A wel
come present for
 Jan Erik by xxx
xxxxxxxx.-= On T
our 1995-2001 =-

(xxxxxxx = Programmers name, removed by Virus Help Denmark)

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: August/September 2001
Information Source..: virus disassembly, SMEG1 source code
Copyright...........: This document is public domain.

[Go back]