Hafenstrass Virus
Virus Name: Hafenstrass
Aliases: Hafen
V Status: Rare
Discovered: February, 1992
Symptoms: .EXE file growth; system hangs
Origin: Germany
Eff Length: 809 Bytes
Type Code: PNE - Non-Resident Parasitic .EXE Infector
Detection Method: AVTK, Sweep, ViruScan, F-Prot, NAV, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N,
IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Hafenstrass, or Hafen, virus was submitted in February, 1992.
Hafenstrass is a non-resident, direct action infector of .EXE
programs. It is originally from Germany.
When a program infected with the Hafenstrass virus is executed, this
virus may infect one .EXE program located in the current directory
on the current drive. It does not always infect an .EXE program
when an infected program is executed, so the infection process is
somewhat sporatic.
Programs infected with the Hafenstrass virus will have a file length
increase of 809 bytes. The virus will be located at the end of the
infected file. There will be no change to the file's date and time
in the DOS disk directory listing. No text strings are visible in
the viral code in infected programs.
Systems infected with the Hafenstrass virus may experience system
hangs when infected programs are executed, though at other times the
infected program will execute properly.
The Hafenstrass virus will create 22 byte hidden files on infected
systems. These hidden files will have file names which are four
characters in length, with the characters being lower case. The
files will contain the following text:
"Hafenstaáe bleibt!"
Known variant(s) of Hafenstrass are:
Hafenstrass-1191: Based on the original Hafenstrass virus, and
Hafenstrass 2 , this variant adds 1,191 bytes to the .EXE
programs it infects. Occassionally when an infected program
is executed, it will display a graphic ambulance car moving
across the bottom of the system display from left to right.
When it reaches the right side of the screen, it will
display the word "BOOM!" in graphic block letters with
"No more RedX !!!" below it in normal display font, bright
type.
Origin: Germany July 1992.
Hafenstrass-1191B: Functionally equivalent to Hafenstrass-1191,
this variant has one byte which differs.
Origin: Germany July 1992.
Hafenstrass-D: Based on the original Hafenstrass virus, this
variant intermittently infect one .EXE program located
in the current directory or a higher directory on the
current drive each time an infected program is executed.
Infected programs will have a file length increase of
781 bytes with the virus being located at the end of
the infected file. The program's date and time in the
DOS disk directory listing will not have been altered.
Hafenstrass-D does not create hidden files.
Origin: Unknown April 1992.
See: Hafenstrass 2