Entry...............: Hitch Hiker 3.00
Alias(es)...........: none
Virus Strain........: -
Virus detected when.: 13.07.1996
              where.: Germany, USA, ISRAEL
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     ca. 3020 Bytes
                      (uses a polymorphic technic)
                      2. Length in RAM:                    8000 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - none

                      Self-identification method in memory:

                      - searches for $FAB4FAB4 at LastAlert(Exec)

                      System infection:
                      -  infects the following functions:
                         Dos LoadSeg(), Dos Write()

                      (librarychecksum will be recalculated and it
                       will be tried to cheat some viruskillers)

                      Infection preconditions:
                       - HUNK_HEADER and HUNK_CODE are found
                       - device is validated
                       - 10 free blocks on the device
                       - hunk_code must contain the same
                         length as in the header.
                       - File must be between $1f40 and $20000
                         bytes (not working)
                        
Infection Trigger...: Accessing files via LoadSeg() or Write()
                      It`s a typical infector. It cannot be rated as
                      fast infector as it only infects at the above
                      mentioned operations.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - Due to a adressacess behind the viruscode it`s
                        possible that trashed code results out of an
                        infection.

                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - None

Particularities.....: The crypt/decrypt routines are partly aware of processor
                      caches. The cryptroutine are polymorphic and 
                      consists of some logical stuff. The virus uses some
                      special things at the fileinfection (buggy) and at the
                      library offsetcode.
                      
Similarities........: Link-method is comparable to the method invented with
                      the infiltrator-virus and the first HitchHiker viruses. 

Stealth.............: no stealth function found. the only things to mention
                      is the library negoffset value.

Armouring...........: The virus is heavily armoured with a $100 byte long
                      polymorphic decryptor. Not only the registers are
                      changing, even the operations will be mixed. This
                      polymorphic routine can be seen right now as one of
                      the best available routine for the AMIGA. The routine
                      mixes a lot of codes and uses a normal polymorphic
                      scheme. No slow polymorphism code was found. The decrypt
                      header is static $100 bytes long and initialises a
                      circular decryption. The decryption code uses anti
                      heuristik stuff and only a full implented code emulation
                      would be able to crack this one.

                      The polymorphism is working in the normal scheme (with
                      $dff006 and $dff007 usage) and uses not the modern
                      technics like slow polymorphism.

                      ("White paper" analyse of this engine can be obtained
                       from me or from the Virus Test Center in Hamburg. We
                       need special information about you before we give such
                       information away.)

Comments............: Maybe interesting for the reader is that the programmer
                      of the virus wrote some more text in it than in the last
                      ones:

                      'The Hitch-Hiker Generation:  00000308 - Version 3.00'
                      'Last in series.
                      "Dedicated to Heiner Markus ZIB and Georg"

                      It would be interesting to know, who this ZIB is.

--------------------- Agents -------------------------------------------

Countermeasures.....: VT 2.86 and VW 6.2
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 17.07.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: July, 17. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of Hitch-Hiker 3.00 =========================

[Go back]