Entry...............: HitchHiker 4.11
Alias(es)...........: CopyCat Decruncher 1.01
Virus Strain........: -
Virus detected when.: Febuary 1997
              where.: Germany and Italy
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     ca. 3052 Bytes
                      2. Length in RAM:                    3500 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)
Computer model(s)...: all models/processors (MC68000-MC68060)
                      The virus heavy problems with the 060 cache

--------------------- Attributes ---------------------------------------

Easy Identification.: -

Type of infection...: Self-identification method in files:

                      - length of hunk 1

                      Self-identification method in memory:

                      - test for the changed jump command from
                        Exec PutMsg() and a longword in the trapcode.

                      System infection:

                      - The entryjump of Exec PutMsg() will be patched
                        to a trap code.
                      - A new trapcode will be installed.
                      - a process with a library name will be started,
                        which installs the patches again

                      Infection preconditions:

                       - HUNK_HEADER is found
                       - device is validated
                       - to be infected file is bigger than $be8
                       - 10 free diskblocks

Infection Trigger...: The infection is based on the packet handling
                      system of AMIGA OS. Every started file will be
                      infected. All synchron dos commands are affected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: A trapvector in the vectorbase will be changed

Damage..............: Permanent damage:
                      - none

                      Transient damage:
                      - The stealth/fileinfect engine performs a wrap
                        around copy of the originalfile as we saw it
                        already in the BEOL3 virus, which source was
                        made public by the programmer.

Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - infecting a file

Particularities.....: The crypt/decrypt routines are not 100% aware of processor
                      caches. The packet handling works in even on the new developer
                      OS versions, but some codes have problems with task functions.

                      The virus is incompatible to the new versions of EXEC,
                      as it uses some commands only legal in V37-V41 versions
                      of the task handling.

                      The virus tunnels doscall watcher like SnoopDos etc. by
                      using only lowlevel packet routines.
Similarities........: The link method has been seen in the BEOL3 linkvirus
                      already. A new hunkheader will be added and the origfile
                      will be seen as datahunk. In this way the virus doesnt
                      need to perform a errorfull hinkcorrection. The first
                      codehunk contains the virus itself.

Stealth.............: Second working directory and file stealth code in a virus.

Armouring...........: The virus is not armoured with a special tricky crypting
                      code. By adding the strings "CopyCat Decruncher 1.01"
                      and "FLK!" and "-TRSi-" the virusprogrammer wanted
                      probably hide his actions as the first 20 bytes of the
                      hunk could really look like an unpacker.

                      Some parts of the code will be manipulated online (data
                      reuse) and some functions refuses to work properly in
                      a testsuite.

Specialities........: As always the virus contains a crypted part:

                      'The Bastard is Back!',$0A
                      'The Hitch-Hiker',$0A
                      '- Version 4.11 ',$0A
                      'Greetings going like a scrolltext in the sky to:'
                      'Georg, Heiner, Markus, Johann, Pius, Zib, Ariel,'
                      'InFekt, UFO and all the guys on #amielit'
                      'Not yet deactivated by Flake!'

                      The last string depends probably on my removal code
                      for the hitchhiker 3 linkvirus, which overwrote parts
                      of the virus with a special other string.

--------------------- Agents -------------------------------------------

Countermeasures.....: VT 2.95, VW 6.5
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 01.03.1997.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Mar, 01. 1997
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of HitchHiker 4.11 Virus =========================

[Go back]