Haifa Virus


 Virus Name:  Haifa 
 Aliases: 
 V Status:    Common 
 Discovered:  September, 1991 
 Symptoms:    .COM file growth; TSR; system hangs 
 Origin:      Israel 
 Eff Length:  2,351 - 2,372 Bytes 
 Type Code:   PRsAK - Resident Parasitic .COM &.EXE Infector 
 Detection Method:  ViruScan, NAV, AVTK, Sweep, F-Prot, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Haifa virus was discovered in Israel in September, 1991.  Haifa 
       is a memory resident infector of .COM and .EXE files, including 
       COMMAND.COM. 
 
       The first time a program infected with Haifa is executed on a system, 
       Haifa will install itself memory resident as a low system memory TSR 
       of 2,512 bytes.  Interrupts 09 and 21 will be hooked by the Haifa 
       virus' TSR.  At this time, the program pointed to by the COMSPEC 
       environmental variable will be infected, as well as the copy of 
       COMMAND.COM located in the C: drive root directory.  On 386 systems, 
       a system hang will then occur.  This system hang usually does not 
       occur on 8088 processor based systems. 
 
       After Haifa is memory resident it will infect the first two uninfected 
       programs in the current directory each time a program is executed. 
       Infected programs increase in size by 2,351 to 2,372 bytes with the 
       virus being located at the end of the infected file.  There will be 
       change to the file's date and time in the DOS disk directory. 
 
       Haifa employs a complex encryption mechanism to complicate 
       disassembly of the virus and determination of scan identification 
       strings.  This encryption mechanism also results in copies of the 
       same program having different lengths after infection, such as 
       duplicate copies of COMMAND.COM located on C: and A: will have 
       different lengths after infection. 
 
       The Haifa virus adds the following two lines of ASCII text to the 
       end of .DOC files which are opened when the virus is memory 
       resident.  These two lines are encrypted within the virus and not 
       visible in infected programs: 
 
               "OOPS!  Hope I didn't ruin anything!!! 
                Well, nobody reads these stupied DOCS anyway!" 
 
       Known variant(s) of Haifa are: 
       Mozkin: Discovered in Israel in May, 1992, Mozkin is based on 
               the Haifa virus, though the encryption has been altered so 
               that programs that can recognize Haifa may not be able to 
               detect Mozkin.  On 80286 based systems, execution of a 
               Mozkin infected program will result in the infection of 
               COMMAND.COM and the following message being displayed: 
               "KIRYAT MOZKIN!!! 
                LOCAL PROCESS INDUSTRY. 
                VIRUS DONE BY: 
                SIBEL ,TEACHES 
                HOW TO MANAGE SHEEP? 
                 Thanks for using Turbo Anti Virus. 
                PLEASE JMP FE00:0" 
                Once this message is displayed the system will be hung. 
                On 8088 based systems, Mozkin will become memory resident 
                in low available system memory when the first infected 
                program is executed, hooking interrupt 21.  After becoming 
                memory resident, it will infect .COM and .EXE programs 
                when they are executed or opened.  Infected programs will 
                increase in length by 2,358 to 2,373 bytes with the virus 
                being located at the end of the infected file. 
 
       See:   Jerusalem-Haifa

Show viruses from discovered during that infect .

Main Page