------------------------
Amiga Virus Encyclopedia
Hitch-Hiker v4.23 Virus
------------------------
-----------------------------------------------------------------------
Entry...............: HitchHiker 4.23
Alias(es)...........: HitchHiker 4
Virus Strain........: -
Virus detected when.: September 1997
where.: Germany, Denmark and England
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: ca. 2912 Bytes
2. Length in RAM: 3200 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)
Computer model(s)...: all models/processors (MC68000-MC68060)
The virus has problems with higher processors and
OS versions
--------------------- Attributes ---------------------------------------
Easy Identification.: -
Type of infection...: - linkvirus. It changes the whole files to 2 hunked
file and copies 2908 bytes from the filestart to
the end
Self-identification method in files:
- checks for $DEAD at a special fileposition. In this
way the stealth mechanism is locating the infected
files, too.
Self-identification method in memory:
- test for the changed jump command from
Exec PutMsg()
System infection:
- The entryjump of Exec PutMsg() will be patched
to a trap code.
- A new trapcode will be installed.
- tries to modifies entry points of the bsdsocket.library,
which is used by connectiontools like AmiTCP and Miami.
Infection preconditions:
- HUNK_HEADER is found
- device is validated
- to be infected file is bigger than 2908 (exact viruslength)
- 10 free diskblocks
Infection Trigger...: The infection is based on the packet handling
system of AMIGA OS. Every started file will be
infected. All synchron dos commands are affected.
Storage media affected:
all DOS-devices
Interrupts hooked...: A trapvector in the vectorbase will be changed
Damage..............: Permanent damage:
- none
Transient damage:
- The stealth/fileinfect engine performs a wrap
around copy of the originalfile as we saw it
already in the BEOL3 virus, which source was
made public by the programmer.
Damage Trigger......: Permanent damage:
- none
Transient damage:
- infecting a file
Particularities.....: The crypt/decrypt routines are not 100% aware of processor
caches. The packet handling works in even on the new developer
OS versions, but some codes have problems with task functions.
The virus tunnels doscall watcher like SnoopDos etc. by
using only lowlevel packet routines.
Similarities........: The link method has been seen in the BEOL3 linkvirus
already. A new hunkheader will be added and the origfile
will be seen as datahunk. In this way the virus doesnt
need to perform a errorfull hinkcorrection. The first
codehunk contains the virus itself.
Stealth.............: Second working directory and file stealth code in a virus.
Armouring...........: The virus is not armoured with a special tricky crypting
code.
Specialities........: As always the virus contains a crypted part:
"LHALZXZOOZIP"
"bsdsocket.library"
"POST"
"DATA"
"QUIT"
"The Hitch-Hiker 4.23 - Generation #00001036"
The first string is for the special ability to keep the
files infected, even if they get crunched. This trick, which
was used to remove common pc stealth linkviruses is not working
here.
--------------------- Agents ----------------------------------------------
Countermeasures.....: VT 3.00, AntiBeol 1.33, FastKill and VW 6.7
above Standard means......: -
--------------------- Acknowledgement -------------------------------------
Location............: Hannover, Germany 26.09.1997.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Sep, 29. 1997
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
in any SHI publication
===================== End of HitchHiker 4.23 Virus =========================
