alexis@ccnysci.UUCP (Alexis Rosen) (01/07/89)
Bob Murrow sent me a copy of the Hpat virus two days ago. I have taken
it apart and these are my findings.
Hpat is, in essence, a slightly modified version of nVIR type 'B' (as
described by myself and John Norstad). The differences are trivial:
1) The CODE resource #256, which contains most of nVIR's code, is
renumbered to CODE #255.
2) Various references to CODE 256 are changed to CODE 255.
3) Various references to resource type 'nVIR' are changed to 'Hpat'.
There is one minor difference that I'm not 100% sure about. It doesn't
seem serious, however. In nVIR 'B', resource 'nVIR' 2 is used to hold
the original jump table entry for code segment 1 (which is replaced by
the virus with an entry for its own code resource). In Hpat, however, it
is replaced with the following:
$0200 ( possibly a segment number? )
4EED 003A ( JMP $003A(A5) )
4E71 ( NOP )
This looks to me like a "loaded" jump table entry for CODE 1, but I
could be wrong. I believe that the JMP instruction might change,
depending on the particular application infected. If I'm right, then
this difference is not meaningful.
Be WARNED: RWatcher, in its default configuration, will not stop an
already-infected system from infecting new applications. It will,
however, prevent an infected app from infecting a clean system. This is
because it won't catch 'Hpat' resources or the CODE 255, but it will
catch the INIT 32. To be perfectly safe you might want to edit the RLIS
resource in RWatcher (a very nice INIT, by the way).
One thing I wonder about: Why didn't the jerk who built Hpat modify the
INIT number? If (s)he went to the trouble of changing the ID of the CODE
resource and the type of the viral resources (presumably to escape the
notice of protection programs), why not alter the INIT ID as well?
Vaccine should catch Hpat infections (but it may crash on detection
instead of putting up its dialog).
In short, Hpat will be much the same pain in the ass that nVIR is, but
it's not the really nasty virus of 1989. (That honor may be reserved for
INIT 29 or some other undiscovered bug.)
Alexis Rosen
alexis@ccnysci.uucp