|
Virus: HareName: Hare VirusAliases: HDEuthanasia, Krsna, Krishna, RD Euthanasia Type: Description: Are you infected by the Hare virus? Hare is one of an increasing number of viruses distributed via the Internet, in the form of posts to Usenet News. It is an extremely complex virus, and triggers in August and September, overwriting the contents of hard disks. Infections have been reported worldwide. This is a resident stealth multipartite virus with antiheuristics and antiemulation tricks, encrypted with a slow polymorphic encryption layer. Hare infects COM and EXE files, MBRs of hard drives and floppy boot sectors. Infected files and boot sectors are encrypted with a slowly changing polymorphic encryption layer. Infected files are marked by setting the seconds field of the time stamp to 34. Hare will not infect files starting with 'TB' or 'F-' or files which have the letter V in their name. This is done to avoid infecting antivirus program with a self-check routine. When an infected file is run, the virus first infects the MBR of the hard drive and stays resident and is able to infect files (but not boot sectors). Hare attempts to bypass BIOS boot sector virus protection systems while infecting the MBR. When the machine is rebooted, the virus will install itself to memory from the MBR and it starts to infect also floppy boot sectors during floppy access as well as COM and EXE files. When resident, the virus occupies over 9kB of memory. Infected files will grow around 7-8kB in size, depending on the polymorphic decryptor. The polymorphic decryptor contains several conditional and unconditional jumps and several calls to do-nothing interrupts to confuse heuristics and emulation. Polymorphic encryption changes slowly, trying to make it difficult to create a large sample set with variable decryptors. Hare will attempt to hide itself in files, but it will sometimes report the infected files to be little bigger or smaller than they originally were. Hare is Windows 95 -aware: it will delete the floppy disk driver file to make itself capable of spreading to floppy disks used from Win95. After disinfecting Hare, you will need to reinstall the \WIN95\SYSTEM\IOSUBSYS\HSFLOP.PDR file from backups. Hare activates when the machine is booted on the 22nd of August and 22nd of September. At this time it displays this text:
"HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare...
After this the virus attempts to overwrite the hard drive and A: and B: drives. This produces a 'Non-system disk' error, but the virus stays resident after the destruction is done - so it can still replicate if a boot floppy is inserted to start up the machine.
Hare was found in the wild in USA in May 1996 and it was apparently distributed over the internet, as infections were soon found from Canada, UK, Switzerland, Russia...in general, everywhere. VARIANT:Hare.7750 This is a newer variant which has some bugs corrected. The text message in the virus has been changed to:
"HDEuthanasia-v2" by Demon Emperor: Hare, Krsna, hare, hare...
Otherwise the virus is like the original variant.
This variant was spread in faked posts in usenet news on 26th of June, 1996. Infected files included:
VARIANT:Hare.7786 The text message in this variant has been changed to:
"HDEuthanasia-v3" by Demon Emperor: Hare, Krsna, hare, hare...
This variant was spread in faked posts in usenet news on 29th of June, 1996. Infected files included:
F-PROT Professional reliably detects all instances of the virus. The F-Hare utility will detect and disinfect infected .COM and .EXE files as well as Master Boot Records and floppy boot sectors. It will also detect if Hare is memory resident. (F-PROT Professional includes detection and disinfection for Hare with version 2.25.) It can detect and disinfect the following variants of Hare (as of August, 1996):
|
||||||