HitchHiker 2 linkvirus


- Hitch-Hiker-2-Virus   Link

   Archives known to be infected:
   DMS 2.40 update
   DeluxeGalage   VersionNo. unknown
   Filesizeincrease: 1848-1908 bytes in dependance to $DFF007
   Requieres KS 2.04
   Hidden vectors: LoadSeg, Write
   Changed: LastAlert $BADCODED
   Not resetresistant
   This thing doesnt` show itselves
   Codeing in dependance to $DFF007

   Decoded you can read in the linkpart:
            54686520 48697463 682d4869 6b65720a The Hitch-Hiker.
            47656e65 72617469 6f6e3a20 30303030 Generation: 0000
            30313233 0a2d2056 65727369 6f6e2032 0123.- Version 2
            2e30310a 0a0a5468 616e6b73 20666f72 .01...Thanks for
            20746865 20526964 652c204d 69737465  the Ride, Miste
            7221210a 00000000                   r!!.....

  Installation in memmory:
  LastAlert (202(a6)) is checked for $ABBAFAB4 and $BADCODED.
  If yes -> end. LoadSeg and Write will be hidden, in LastAlert
  BADCODED is written.
  Link in file after first Hunk:
  Disk validated and min. #10 blocks free
  File executeable (3F3)
  Codehunk is found (3E9)
  Filename is NOT tested for certain characters
  In the viruscode a maxsize border is found, but this border was surpassed
  MANYTIMES on a 68040 during a test reproduction.
  move.l 4,a6 (6bytes), move.l 4.w,a6 (4 bytes) or RTS is found in the first hunk.
  The difference from this point to the original end of the first hunk
  is not bigger then $7FFF (for move) or $7F (for RTS).
  If this conditions are fullfilled, a move.l 4 command is replaced by a
  BSR command ($6100uvwx). If the original command was 6 bytes long
  a NOP is added to fill up. The RTS command is replaced 
  by a BRA.s command ($60uv).
  It is possible that MULTIBLE jumps are created.
  VT tries on remove, to set move.l and move.w in dependance to a found NOP.
  The BRA.s command should be replaced with a RTS by VT. (also multible)
  Multibel links to one file could NOT be created.

  Hint 1: While testing defect file were also created. VT should cancel
  the removeprocedure and offer only deletion.

  Hint 2: If  your Harddisk is infected all over, please go to Sp->File->Sp,
  choose a subdirectory ( c for instance) then click DirFTest.
  After this coninue with further subdirectories.

--------------------------------------------------------------
 Translated to English by Frank Cieslewicz © 2001 VHT-Denmark
 Org. Test by Heiner Schneegold.
--------------------------------------------------------------

[Go back]