Die Hard 2 Virus


 Virus Name:  Die Hard 2 
 Aliases:     DH2 
 V Status:    New 
 Discovered:  July, 1994 
 Symptoms:    .COM & .EXE growth; 
              decrease in total system & available free memory 
 Origin:      Republic Of South Africa 
 Eff Length:  4,000 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  AVTK, IBMAV, ViruScan, Sweep, NAV, F-Prot, 
                    NAVDX, PCScan, ChAV, 
                    AVTK/N, NShld, NAV/N, Sweep/N, IBMAV/N, Innoc, NProt, 
                    LProt 
 Removal Instructions:  See Below 
 
 General Comments: 
       The Die Hard 2, or DH2, virus was received in July, 1994.  It is 
       from Jakarta in the Republic Of South Africa.  Die Hard 2 is a 
       memory resident full stealth virus which infects .COM and .EXE 
       programs, including COMMAND.COM. 
 
       When the first Die Hard 2 infected program is executed, this virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary hooking interrupts 10 and 21.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 4,000 bytes. 
 
       Once memory resident, the Die Hard 2 virus will infect programs when 
       they are executed or opened.  Infected programs will have a file 
       length increase of 4,000 bytes with the virus being located at the 
       end of the file.  The program's file length increase will not be 
       visible within the DOS disk directory listing, nor will the viral 
       code be visible within the infected file, when the virus is memory 
       resident as Die Hard 2 is a full stealth virus, disinfecting programs 
       "on the fly".  The program's date and time in the DOS disk directory 
       listing will not be altered.  The following text string is encrypted 
       within the viral code: 
 
               "SW DIE HARD 2" 
 
       The DOS CHKDSK program, when executed with Die Hard 2 in memory, will 
       not indicate file allocation errors on infected files. 
 
       Programs infected with Die Hard 2 can be fairly easily manually 
       disinfected.  The system user should execute a program known to be 
       infected in order to insure that the virus is memory resident.  All 
       of the executable programs on the system should then be archived 
       using a program such as PKWare's PKZIP program.  The system must then 
       be cold booted from a known clean boot disk.  Without executing any 
       programs from the system hard drive, the archive files created 
       earlier should be used to replace the executable programs on the 
       system hard drive.

Show viruses from discovered during that infect .

Main Page