amiga-news ENGLISH VERSION
.
Links| Forum| Kommentare| News melden
.
Chat| Umfragen| Newsticker| Archiv
.

[Login] [Registrieren] [Passwort vergessen?]

< Nächste MeldungVorige Meldung >
30.Aug.2001
Jan Andersen (E-Mail)


Virus Help Denmark: Safe Version 16.5
Von dem Virendetektor 'Safe' ist Version 16.5 erschienen. Hier die Details:

A new update of "Safe" has been released today. Also the programmer of Safe has very big problem with the new 'Hitch-Hiker 5.00' virus. But we are working to make recog. for the virus in xvs.library. I have included the test of 'Hitch-Hiker 5.00' at the button.

Info about the new update of Safe:

Name: Safe v16.5
Archive name: Safe.lha
Archive size: 35.456 bytes
Release date: 30 August 2001
Programmer: Zbigniew Trzcionkowski

News is v16.5:
  • added possibility to change name of safe on installation. It was necessary - new viruses like HH50 and SMEG2b refuse to infect Safe file. This trend will surely remain, so now Safe gives the user the easy way avoid that. Big thanks for Antonio Noguera, who did this improvement! This is piece of good work - even better I expected!
  • removed some outdated info from html documentation Note that the most useful information is here and in NewShit.guide. Thanks to Michael Hendren for paying attention.
  • removed SMEG2/PENETRATOR removals as xvs.library recognizes them now
  • added analyze of HitchHiker5.00 the most advanced polymorphic bastard in the Amiga universe
Download shortcut: http://home4.inet.tele.dk/vht-dk/amiga/safe/safe.htm

=== Start of HitchHiker 5.00 Virus ===

Entry: HitchHiker 5.00
Alias(es): -
Virus Strain: Smeg2
Virus detected when: August 2001
where: Aminet
Classification: Linkvirus,memory-resident, not reset-resident
Length of Virus: 1. Length on storage medium: c.a. 3720 Bytes
Has most advanced metamorphic decoders seen for Amiga and uses slow polymorphism!
2. Length in RAM: 8588 Bytes

--- Preconditions ---

Operating System(s): AMIGA-DOS Version/Release.....: 2.04+ Computer model(s): all models/processors (MC68000-MC68060)

--- Attributes ---

Easy Identification: -

Type of infection:
  • Self-identification method in files:
    - via unused bits visible in dos flags
  • Self-identification method in memory:
    - checks for 'HH5' process
  • System infection:
    - A new process entitled 'HH5' will be created and this is the only visible change in the system. That process infects files using the known Smeg code, but the way of getting targets is new.
    - The virus patches return address from Wait() call of device's tasks. This is very clever idea which lets the virus patch devices which's code is placed even in ROM. The LOCATE_OBJECT and EXAMINE_NEXT packets will be stolen.
  • Infection preconditions:
    - HUNK_CODE is found
    - device is validated
    - at least 6 free blocks
    - filename does not start with "vir" and "saf"
    (case independant check)
    - file is bigger than 4190 bytes
    - file is smaller than 100377 bytes
Infection Trigger:
  • The infection is based on the packet handling of AMIGA OS. Every started or listed file can be infected.
Storage media affected:
  • all DOS-devices
Interrupts hooked:
  • None
Damage:
  • Permanent damage: - none
  • Transient damage: - none
Damage Trigger:
  • Permanent damage: - none
  • Transient damage: - none
Particularities:
  • Uses slow polymorphism! Only this little fact mislooked by Jan Erik Olausen (and Jan Andersen) made filedetection in xvs.library the biggest AV joke seen for Amiga computers ever! At the moment xvs.library detects 3 variants of virus from several millions possible!
  • The stack patches are done very clever and the code is flexible enough to handle differences between OS versions (including newer than 3.1). Most of code is equal to first SMEG virus. If the accessed file starts with the string "VIR" or "SAF" (case independant), the file will be not infected.
Similarities:
  • It could be seen as third kind of SMEG2, but the polyengine made it one of the most advanced viruses for Amiga.
Stealth:
  • None. The virus does not put infected file length like BOBEK viruses to ExNext's FIB, so it is likely that under controll of virus user will cut files. Salvage will be never possible as it was for HH4.11 which's files several times appeared in truncated form due to it's stealth... :-)
Armouring:
  • Uses so called HAVOC polyengine. This is the best such engine in Amiga virus at the moment. The decoders are placed after the decoder block, and the loop could contain very much logical stuff. The decoders are made metamorphically and are built of various jumps backward and forward.
    Such decoders can be detected only in alghorythmic way. Detection of this virus is impossible with technics like breaking the cryptings (lot of stuff) and tracing (entry point!).
    The decoder is generated on virus startup, so after reboot files are infected always with new decoders.
Comments:
  • The virus contains text: HAVOC
I have been working with one copy of HH5.0. Even there really exist clones of HH5.0 I think that if the polyengine detection will be working for one, will be good for others.

--- Acknowledgement ---

Location: Pawlowice, Poland
Classification by: Zbigniew Trzcionkowski
Documentation by: Zbigniew Trzcionkowski
Date: August 2001

Information Source: virus disassembly, SMEG1 source code
Copyright: This document is public domain.

=== End of HitchHiker 5.00 Virus ===
(ps)

[Meldung: 30. Aug. 2001, 17:09] [Kommentare: 1 - 30. Aug. 2001, 18:23]
[Per E-Mail versenden]  [Druck-Version]  [ASCII-Version]
< Nächste MeldungVorige Meldung >

.
Impressum | Datenschutzerklärung | Netiquette | Werbung | Kontakt
Copyright © 1997-2019 by amiga-news.de - alle Rechte vorbehalten.
.