Hi All !!
A new linkvirus appeared on 17.05. in Austria, Finland and Sweden. it`s called
Hitch Hiker 1.10 linkvirus. Here the analyse of it:
Entry...............: Hitch Hiker 1.10
Alias(es)...........: none
Virus Strain........: -
Virus detected when.: 18.05.1996
where.: Austria, Finland
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: ca. 1700 Bytes
(uses a primitiv polymorphic technic)
2. Length in RAM: 3000 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- none
Self-identification method in memory:
- searches for $ABBAFAb4 at LastAlert(Exec)
System infection:
- infects the following functions:
Dos LoadSeg(), Dos Write()
(librarychecksum will be recalculated)
Infection preconditions:
- Device must have more than 8000 sectors and
is smaller than $20000 bytes or file is
bigger than $8000 bytes
- HUNK_HEADER and HUNK_CODE are found
- device is validated
- 10 free blocks on the device
- hunk_code must contain the same
length as in the header.
Infection Trigger...: Accessing files via LoadSeg() or Write()
Files containing a "." or a "-" will be not
infected.
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- None
Particularities.....: The crypt/decrypt routines are partly aware of processor
caches. The cryptroutine are non polymorphic and only
consists of some logical stuff. The virus uses some
special things at the fileinfection (buggy) and at the
library opencode.
Similarities........: Link-method is comparable to the method invented with
the infiltrator-virus.
Stealth.............: no stealth functions found
Armouring...........: The virus uses only a single armouring technique to
confuse people. It only crypts it`s code and uses
a very simple length polymorphism code. The heuristic
scanner of VirusWorkshop detects this one already
as virus.
Comments............: The first infected file is probably lzx121crk.lha.
This is the old SHOOT version of LZX1.21r with the
infected file. As I got reports from Austria and
Finland, I suppose it has gone through internet
channels as this file didn`t appear on scene boards.
--------------------- Agents -------------------------------------------
Countermeasures.....: VW6.1
above Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 19.05.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: May,19. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
in any SHI publication
===================== End of Hitch-Hiker 1.10 =========================
VW 6.1 (release on 19.5. in the evening hours) is able to remove this
little bastard. Special note: The heuristic scanner of VW 6.0 already
detected this one (see v-nl19.txt on the boards).
Greets
Markus Schmall