Virus Warning - Virus Help Team

VIRUS HELP TEAM
Denmark & Canada



Hitch Hiker 1.10 Linkvirus
  
Hi All !!

A new linkvirus appeared on 17.05. in Austria, Finland and Sweden. it`s called
Hitch Hiker 1.10 linkvirus. Here the analyse of it:


Entry...............: Hitch Hiker 1.10
Alias(es)...........: none
Virus Strain........: -
Virus detected when.: 18.05.1996
              where.: Austria, Finland
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     ca. 1700 Bytes
                      (uses a primitiv polymorphic technic)
                      2. Length in RAM:                    3000 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - none

                      Self-identification method in memory:

                      - searches for $ABBAFAb4 at LastAlert(Exec)

                      System infection:
                      -  infects the following functions:
                         Dos LoadSeg(), Dos Write()

                      (librarychecksum will be recalculated)

                      Infection preconditions:
                       - Device must have more than 8000 sectors and
                         is smaller than $20000 bytes or file is
                         bigger than $8000 bytes
                       - HUNK_HEADER and HUNK_CODE are found
                       - device is validated
                       - 10 free blocks on the device
                       - hunk_code must contain the same
                         length as in the header.

Infection Trigger...: Accessing files via LoadSeg() or Write()
                      Files containing a "." or a "-" will be not
                      infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None


Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - None

Particularities.....: The crypt/decrypt routines are partly aware of processor
                      caches. The cryptroutine are non polymorphic and only
                      consists of some logical stuff. The virus uses some
                      special things at the fileinfection (buggy) and at the
                      library opencode.
                      
Similarities........: Link-method is comparable to the method invented with
                      the infiltrator-virus. 

Stealth.............: no stealth functions found

Armouring...........: The virus uses only a single armouring technique to
                      confuse people. It only crypts it`s code and uses
                      a very simple length polymorphism code. The heuristic
                      scanner of VirusWorkshop detects this one already
                      as virus.


Comments............: The first infected file is probably lzx121crk.lha.
                      This is the old SHOOT version of LZX1.21r with the
                      infected file. As I got reports from Austria and
                      Finland, I suppose it has gone through internet
                      channels as this file didn`t appear on scene boards.


--------------------- Agents -------------------------------------------

Countermeasures.....: VW6.1 
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 19.05.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: May,19. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of Hitch-Hiker 1.10 =========================


VW 6.1 (release on 19.5. in the evening hours) is able to remove this
little bastard. Special note: The heuristic scanner of VW 6.0 already
detected this one (see v-nl19.txt on the boards).

Greets
           Markus Schmall




Virus Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht-dk.dk