------------------------
Amiga Virus Encyclopedia
Hitch-Hiker v3.00 Virus
------------------------
--------------------------------------------------------------------------
Entry...............: Hitch Hiker 3.00
Alias(es)...........: none
Virus Strain........: -
Virus detected when.: 13.07.1996
where.: Germany, USA, ISRAEL
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: ca. 3020 Bytes
(uses a polymorphic technic)
2. Length in RAM: 8000 Bytes
--------------------- Preconditions ---------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ------------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- none
Self-identification method in memory:
- searches for $FAB4FAB4 at LastAlert(Exec)
System infection:
- infects the following functions:
Dos LoadSeg(), Dos Write()
(librarychecksum will be recalculated and it
will be tried to cheat some viruskillers)
Infection preconditions:
- HUNK_HEADER and HUNK_CODE are found
- device is validated
- 10 free blocks on the device
- hunk_code must contain the same
length as in the header.
- File must be between $1f40 and $20000
bytes (not working)
Infection Trigger...: Accessing files via LoadSeg() or Write()
It`s a typical infector. It cannot be rated as
fast infector as it only infects at the above
mentioned operations.
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- Due to a adressacess behind the viruscode it`s
possible that trashed code results out of an
infection.
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- None
Particularities.....: The crypt/decrypt routines are partly aware of processor
caches. The cryptroutine are polymorphic and
consists of some logical stuff. The virus uses some
special things at the fileinfection (buggy) and at the
library offsetcode.
Similarities........: Link-method is comparable to the method invented with
the infiltrator-virus and the first HitchHiker viruses.
Stealth.............: no stealth function found. the only things to mention
is the library negoffset value.
Armouring...........: The virus is heavily armoured with a $100 byte long
polymorphic decryptor. Not only the registers are
changing, even the operations will be mixed. This
polymorphic routine can be seen right now as one of
the best available routine for the AMIGA. The routine
mixes a lot of codes and uses a normal polymorphic
scheme. No slow polymorphism code was found. The decrypt
header is static $100 bytes long and initialises a
circular decryption. The decryption code uses anti
heuristik stuff and only a full implented code emulation
would be able to crack this one.
The polymorphism is working in the normal scheme (with
$dff006 and $dff007 usage) and uses not the modern
technics like slow polymorphism.
("White paper" analyse of this engine can be obtained
from me or from the Virus Test Center in Hamburg. We
need special information about you before we give such
information away.)
Comments............: Maybe interesting for the reader is that the programmer
of the virus wrote some more text in it than in the last
ones:
'The Hitch-Hiker Generation: 00000308 - Version 3.00'
'Last in series.
"Dedicated to Heiner Markus ZIB and Georg"
It would be interesting to know, who this ZIB is.
--------------------- Agents ------------------------------------------------
Countermeasures.....: VT 2.86 and VW 6.2ß
above Standard means......: -
--------------------- Acknowledgement ---------------------------------------
Location............: Hannover, Germany 17.07.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: July, 17. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
in any SHI publication
======================== End of Hitch-Hiker 3.00 ===========================
