ZeroHunt Virus


 Virus Name:  ZeroHunt 
 Aliases:     Minnow, Stealth, Zero-Hunt, Hunt 
 V Status:    Research 
 Discovered:  December, 1990 
 Symptoms:    Internal changes to .COM files 
 Origin:      United States 
 Eff Length:  416 Bytes 
 Type Code:   PRCK - Parasitic Overwriting .COM Infector 
 Detection Method:  Viruscan, AVTK, F-Prot, NAV, Sweep, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The ZeroHunt, or Minnow, virus was submitted in December, 1990 by 
       Paul Ferguson of Washington, DC.  ZeroHunt is a memory resident 
       overwriting infector of COM files, including COMMAND.COM.  This 
       virus is classified as a Stealth virus. 
 
       When the first program infected with the ZeroHunt virus is 
       executed, the virus will install itself memory resident in the 
       command environment area.  It occupies approximately 200 bytes 
       of memory and hooks a number of interrupts, including interrupt 
       21 by remapping. 
 
       Once ZeroHunt is memory resident, it waits for a .COM file to be 
       opened or executed which contains 416 or more bytes of 00h 
       characters.  These characters usually are stack space in the file, 
       and most commonly occur in EXE files which have been converted to 
       .COM files.  If the candidate .COM file contains enough 00h 
       characters, ZeroHunt will infect the file by writing its viral code 
       over the first 416 bytes of the 00h characters. ZeroHunt then 
       alters the first four bytes of the newly infected file so that upon 
       execution its viral code will execute first. 
 
       Like other Stealth class viruses, ZeroHunt will disinfect the file 
       on the fly, so that the virus cannot be detected in files if it is 
       memory resident.  Since infected files have been infected 
       internally by overwriting stack space, there will be no change in 
       infected file length. 
 
       ZeroHunt carries no activation criteria at the present time, it 
       just replicates. 
 
       Known variant(s) of ZeroHunt are: 
       ZeroHunt B: Based on the ZeroHunt virus, this variant becomes 
                   memory resident in 1,408 bytes of reserved low system 
                   memory.  It hooks interrupts 21, 25, 26, and several 
                   others.  It infects .COM programs when they are 
                   executed provided that a block of at least 411 bytes of 
                   binary zeros can be found within the candidate 
                   program.  If the block is found, then the virus will 
                   overwrite the last 411 bytes of binary zeros in the 
                   block, and alter the first four characters of the 
                   program so that the viral code will be executed first.

Show viruses from discovered during that infect .

Main Page