------------------------
Amiga Virus Encyclopedia
Hitch-Hiker 2 Link Virus
------------------------
- Hitch-Hiker-2-Virus Link
Archives known to be infected:
DMS 2.40 update
DeluxeGalage VersionNo. unknown
Filesizeincrease: 1848-1908 bytes in dependance to $DFF007
Requieres KS 2.04
Hidden vectors: LoadSeg, Write
Changed: LastAlert $BADCODED
Not resetresistant
This thing doesnt` show itselves
Codeing in dependance to $DFF007
Decoded you can read in the linkpart:
54686520 48697463 682d4869 6b65720a The Hitch-Hiker.
47656e65 72617469 6f6e3a20 30303030 Generation: 0000
30313233 0a2d2056 65727369 6f6e2032 0123.- Version 2
2e30310a 0a0a5468 616e6b73 20666f72 .01...Thanks for
20746865 20526964 652c204d 69737465 the Ride, Miste
7221210a 00000000 r!!.....
Installation in memmory:
LastAlert (202(a6)) is checked for $ABBAFAB4 and $BADCODED.
If yes -> end. LoadSeg and Write will be hidden, in LastAlert
BADCODED is written.
Link in file after first Hunk:
Disk validated and min. #10 blocks free
File executeable (3F3)
Codehunk is found (3E9)
Filename is NOT tested for certain characters
In the viruscode a maxsize border is found, but this border was surpassed
MANYTIMES on a 68040 during a test reproduction.
move.l 4,a6 (6bytes), move.l 4.w,a6 (4 bytes) or RTS is found in the first hunk.
The difference from this point to the original end of the first hunk
is not bigger then $7FFF (for move) or $7F (for RTS).
If this conditions are fullfilled, a move.l 4 command is replaced by a
BSR command ($6100uvwx). If the original command was 6 bytes long
a NOP is added to fill up. The RTS command is replaced
by a BRA.s command ($60uv).
It is possible that MULTIBLE jumps are created.
VT tries on remove, to set move.l and move.w in dependance to a found NOP.
The BRA.s command should be replaced with a RTS by VT. (also multible)
Multibel links to one file could NOT be created.
Hint 1: While testing defect file were also created. VT should cancel
the removeprocedure and offer only deletion.
Hint 2: If your Harddisk is infected all over, please go to Sp->File->Sp,
choose a subdirectory ( c for instance) then click DirFTest.
After this coninue with further subdirectories.
--------------------------------------------------------------
Translated to English by Frank Cieslewicz © 2001 VHT-Denmark
Org. Test by Heiner Schneegold.
--------------------------------------------------------------
| ☣ |
Virus Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk |
☣ |
| |
