Hafenstrass Virus


 Virus Name:  Hafenstrass 
 Aliases:     Hafen 
 V Status:    Rare 
 Discovered:  February, 1992 
 Symptoms:    .EXE file growth; system hangs 
 Origin:      Germany 
 Eff Length:  809 Bytes 
 Type Code:   PNE - Non-Resident Parasitic .EXE Infector 
 Detection Method:  AVTK, Sweep, ViruScan, F-Prot, NAV, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Hafenstrass, or Hafen, virus was submitted in February, 1992. 
       Hafenstrass is a non-resident, direct action infector of .EXE 
       programs.  It is originally from Germany. 
 
       When a program infected with the Hafenstrass virus is executed, this 
       virus may infect one .EXE program located in the current directory 
       on the current drive.  It does not always infect an .EXE program 
       when an infected program is executed, so the infection process is 
       somewhat sporatic. 
 
       Programs infected with the Hafenstrass virus will have a file length 
       increase of 809 bytes.  The virus will be located at the end of the 
       infected file.  There will be no change to the file's date and time 
       in the DOS disk directory listing.  No text strings are visible in 
       the viral code in infected programs. 
 
       Systems infected with the Hafenstrass virus may experience system 
       hangs when infected programs are executed, though at other times the 
       infected program will execute properly. 
 
       The Hafenstrass virus will create 22 byte hidden files on infected 
       systems.  These hidden files will have file names which are four 
       characters in length, with the characters being lower case.  The 
       files will contain the following text: 
 
               "Hafenstaáe bleibt!" 
 
       Known variant(s) of Hafenstrass are: 
       Hafenstrass-1191: Based on the original Hafenstrass virus, and 
               Hafenstrass 2 , this variant adds 1,191 bytes to the .EXE 
               programs it infects.  Occassionally when an infected program 
               is executed, it will display a graphic ambulance car moving 
               across the bottom of the system display from left to right. 
               When it reaches the right side of the screen, it will 
               display the word "BOOM!" in graphic block letters with 
               "No more RedX !!!" below it in normal display font, bright 
               type. 
               Origin:  Germany  July 1992. 
       Hafenstrass-1191B: Functionally equivalent to Hafenstrass-1191, 
               this variant has one byte which differs. 
               Origin:  Germany  July 1992. 
       Hafenstrass-D: Based on the original Hafenstrass virus, this 
              variant intermittently infect one .EXE program located 
              in the current directory or a higher directory on the 
              current drive each time an infected program is executed. 
              Infected programs will have a file length increase of 
              781 bytes with the virus being located at the end of 
              the infected file.  The program's date and time in the 
              DOS disk directory listing will not have been altered. 
              Hafenstrass-D does not create hidden files. 
              Origin:  Unknown  April 1992. 
 
       See:   Hafenstrass 2 

Show viruses from discovered during that infect .

Main Page