|Creator||Dr. Strobe and Papa Hacker|
|Date Discovered||circa 1986|
|Place of Origin||Germany|
|Source Language||Basic, Assembly|
|Infection Length||2,030 bytes|
When BHP is executed, it loads itself into a block of memory usually reserved for I/O devices. The virus runs itself in banked memory, which makes it invisible. After it has copied itself to memory, it restores its host program to the original size and memory location, allowing the host to run normally. BHP has a checksum, and if this checksum does not match that of the host program, it will overwrite that program in memory. The checksum misses the first three bytes of the code, which is the line number and the SYS command.
BHP checks if the virus is already running by checking the value of a byte in a specific location of the memory. If it finds this value, it will stop running, but if not, it will place its code in a non-banked memory at a low address.
Hooking the SystemEdit
It hooks the MAIN, NMI, CBINV, RESET, ILOAD and ISAVE vectors to point to the virus. Hooking the first four ensures the virus will not lose control of the system if it is restarted. The last two ensure the virus is run whenever a file was loaded or saved. When the vectors have been hooked, the code of the host program is run.
The virus calls its infection routine whenever ILOAD or ISAVE are used. ILOAD is used whenever a file is accessed for the first time, a directory listing is made or wildcards are used in a search. Whether or not any file is really loaded, the virus will call its infection routine. ISAVE is used whenever a file is saved.
To begin infection, the virus first checks if the requested device is a disk drive. If the ISAVE vector has been used, it will open a file that has just been saved, otherwise it will be the first file in a directory listing. The virus checks if the file is a Basic program by checking the first byte of the program and compares it against its own SYS command. If it finds its SYS command, it will look into the file further by comparing another 27 bytes. If these 27 bytes match, it considers the file infected.
When BHP finds an uninfected file, it switches to reading data from the hardware cache. It checks the disk to make sure the directory exists on track 18 and that the file does not exist on this track. The virus then checks the track list for free sectors, starting with the file to be infected. When it finds eight sectors on one track, it reserves the eight tracks for itself and the host. The virus copies the host program to the last sector, while the first and remaining sectors get the virus code.
The virus has many different methods of hiding its presence on the computer. It makes use of the Commodore 64's way of banking memory to hide itself in the memory. The way BHP searches through the disk for free space to place itself and its new host also saves a great deal of time and very audible disk reads, as many DOS viruses used the end of the disk to place some additional code. Furthermore, the virus does not update the block count in the directory sector.
BHP is a first in more than one category. In addition to being the first stealth virus, it is also the first cluster virus. It is also the first Commodore 64 virus.
The virus checking for another copy of itself while running by reading the value in an area of memory ended up for some people to be a good way to prevent it from running on the computer. If the value was placed there manually before an infected program was run, the virus would not work. Such techniques were used to prevent viruses on the later Commodore Amigas.
The virus was probably coded by more than one author. One researcher noticed some differences in the coding style of a few of the virus's functions.
Peter Ferrie, Symantec Security Response. Virus Bulletin, Virus Analysis Time Machine: BHP. 2005.01
Peter Szor. The Art of Computer Virus Research and Defense, Chapter 3, Section 5.1, pp. 57-58. Addison-Wesley, Pearson Education, Symantec Press; Upper Saddle River, New Jersey: 2005. ISBN: 0321304543.