Classification

Category :

Malware

Type :

Virus

Aliases :

Hitchcock

Summary

The activation effect of this virus is obvious - it may play a tune from the Hitchcock TV-series some time after becoming resident in memory.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Hitchcock.1238

Origin: Finland?

An initial finding of this variant of the Hitchcock virus was made in Joensuu, Finland. The virus was, in fact, discovered in the middle of 1992, but it took until March 1993 for a sample of it to reach examination.

Hitchcock.1238 is a virus which spreads quite efficiently. The code of the original Hitchcock virus has been modified a little - the main purpose seems to have been to change the code to a degree where scanner-type anti-virus programs could no longer recognize it. In any case, F-Secure' F-PROT 2.02, which was released already in February 1992, was able to find the virus with all of its search methods. The only significant changes in the new variant have been made to the activation routines.

The most important alterations separating the new variant from the original Hitchcock are the decrease in size and a change in the "Are you There" -call the virus uses. The original virus checks whether it has already been installed in memory by calling an interrupt it hijacks, the INT 21h / AX=4BFEh. If the virus is already resident in memory, it recognizes the call and answers by returning the value 1234h in the AX register. The new variant functions identically, but the interrupt it uses has been changed to INT 21h / AX=4BFFh. Neither of these interrupts is normally used.

Examination of the virus code leads one to the conclusion that the author of this new variant has probably had the source code of the original virus available to him or her.

The virus stays resident in memory, of which it reserves about 3.5 kilobytes for itself. The reduction of memory can be observed by using the MEM command, although this does not show the name of the program that causes it. Besides the interrupt 21h, the virus hijacks also the interrupt 1Ch for its own use.

Hitchcock.1238 checks that the version number of the computer's DOS is at least 2.0. Otherwise it will not spread.

The virus infects every COM file that is executed, provided its size falls between 1288 and 64000 bytes. It does not trust the file-name appendix, but checks the program type by examining the first two characters in the file. The virus is able to bypass a Read-only- protection set by using the ATTRIB command, but, since it does not install a critical-error handler, the execution of a COM file from a write-protected diskette produces the error message "Write protect error".

The virus does not alter the time stamp of an infected program, aside from the 'seconds' field, into which it sets the value 20 after having completed the infection. The virus uses this marker to indicate a file which has already been infected, and, consequently, it does not infect files whose 'seconds' field in the original creation date contains the value 20. A directory listing does not show seconds at all when DOS's DIR command is used.

The virus increases the size of infected files by 1238 bytes. This change is visible in the directory listing - the virus does not contain stealth routines. The viral code is placed in the beginning of an infected file, whose first 1238 bytes are moved to the end of the file.

The Hitchcock virus activates after having been resident in memory 4 minutes and 7 seconds. After this it begins to play the theme from the Hitchcock television series. The song is quite easily recognizable and lasts about thirty seconds. The music goes on endlessly, with a pause of a couple of seconds between the finish and restart of the theme.

In the original version of the virus, the music routine was activated only if the virus was executed during August. This check has been removed from the new version. As a result, Hitchcock.1238 is quite obvious and very easy to spot. Because of this it is never likely to become very common.

The music routine functions as a part of the System Timer Tick interrupt [1Ch], which gets a slice of processor time 18.2 times a second. Because of this, the music is played completely on the background, without disturbing the execution of other applications in any way. The music routine functions even on Windows background.

The virus code contains no texts, and neither has it been encrypted in any way. From a technical point of view, the code has been written quite well if somewhat wastefully.