An initial finding of this variant of the Hitchcock virus was made in
Joensuu, Finland. The virus was, in fact, discovered in the middle of
1992, but it took until March 1993 for a sample of it to reach
examination.
Hitchcock.1238 is a virus which spreads quite efficiently. The code of
the original Hitchcock virus has been modified a little - the main
purpose seems to have been to change the code to a degree where
scanner-type anti-virus programs could no longer recognize it. In any
case, F-Secure' F-PROT 2.02, which was released already in February
1992, was able to find the virus with all of its search methods. The
only significant changes in the new variant have been made to the
activation routines.
The most important alterations separating the new variant from the
original Hitchcock are the decrease in size and a change in the "Are
you There" -call the virus uses. The original virus checks whether it
has already been installed in memory by calling an interrupt it
hijacks, the INT 21h / AX=4BFEh. If the virus is already resident in
memory, it recognizes the call and answers by returning the value
1234h in the AX register. The new variant functions identically, but
the interrupt it uses has been changed to INT 21h / AX=4BFFh. Neither
of these interrupts is normally used.
Examination of the virus code leads one to the conclusion that the
author of this new variant has probably had the source code of the
original virus available to him or her.
The virus stays resident in memory, of which it reserves about 3.5
kilobytes for itself. The reduction of memory can be observed by using
the MEM command, although this does not show the name of the program
that causes it. Besides the interrupt 21h, the virus hijacks also the
interrupt 1Ch for its own use.
Hitchcock.1238 checks that the version number of the computer's DOS is
at least 2.0. Otherwise it will not spread.
The virus infects every COM file that is executed, provided its size
falls between 1288 and 64000 bytes. It does not trust the file-name
appendix, but checks the program type by examining the first two
characters in the file. The virus is able to bypass a Read-only-
protection set by using the ATTRIB command, but, since it does not
install a critical-error handler, the execution of a COM file from a
write-protected diskette produces the error message "Write protect
error".
The virus does not alter the time stamp of an infected program, aside
from the 'seconds' field, into which it sets the value 20 after having
completed the infection. The virus uses this marker to indicate a file
which has already been infected, and, consequently, it does not infect
files whose 'seconds' field in the original creation date contains the
value 20. A directory listing does not show seconds at all when DOS's
DIR command is used.
The virus increases the size of infected files by 1238 bytes. This
change is visible in the directory listing - the virus does not
contain stealth routines. The viral code is placed in the beginning of
an infected file, whose first 1238 bytes are moved to the end of the
file.
The Hitchcock virus activates after having been resident in memory 4
minutes and 7 seconds. After this it begins to play the theme from the
Hitchcock television series. The song is quite easily recognizable and
lasts about thirty seconds. The music goes on endlessly, with a pause
of a couple of seconds between the finish and restart of the theme.
In the original version of the virus, the music routine was activated
only if the virus was executed during August. This check has been
removed from the new version. As a result, Hitchcock.1238 is quite
obvious and very easy to spot. Because of this it is never likely to
become very common.
The music routine functions as a part of the System Timer Tick
interrupt [1Ch], which gets a slice of processor time 18.2 times a
second. Because of this, the music is played completely on the
background, without disturbing the execution of other applications in
any way. The music routine functions even on Windows background.
The virus code contains no texts, and neither has it been encrypted in
any way. From a technical point of view, the code has been written
quite well if somewhat wastefully.
