Hellween Virus
Virus Name: Hellween
Aliases: 1376
V Status: Rare
Discovery: February, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available free
memory
Origin: Unknown
Eff Length: 1,376 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, AVTK, Sweep, NAV, PCScan,
IBMAV, NAVDX, VAlert, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N,
IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Hellween virus was submitted in February, 1992. Its origin or
point of isolation are unknown. Hellween is a memory resident
infector of .COM and .EXE programs, but does not infect COMMAND.COM.
The first time a program infected with Hellween is executed, the
Hellween virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Interrupt 12's
return will not have been moved. Total system and available free
memory, as indicated by the DOS CHKDSK program, will have decreased
by 1,904 bytes. Interrupt 21 will be hooked by the virus.
Once the Hellween virus is memory resident, it will infect .COM and
.EXE programs when they are executed. Infected programs will have
a file length increase of 1,376 bytes. The virus will be located
at the end of the infected file. The program's date and time in
the DOS disk directory listing will not be altered.
The following text string is encrypted within the Hellween virus
viral code, and are not visible in infected programs:
"HELLWEEN???!!"
It is unknown what Hellween does besides replicate.
Known variant(s) of Hellween are:
Hellween-1182: Based on the Hellween virus described above,
this variant's size in memory is 1,696 bytes. It
hooks interrupts 08, 13, and 21. Like Hellween,
it infects .COM and .EXE programs when they are
executed. Infected programs will have a file
length increase of 1,182 bytes with the virus being
located at the end of the file. The program's date
and time in the DOS disk directory listing will not
be altered. It does not contain the "HELLWEEN"
encrypted text string.
Origin: Unknown July, 1992.
Hellween.1684: Based on the Hellween virus described above,
this variant's size in memory is 2,208 bytes. It
hooks interrupts 08 and 21. It infects .EXE programs
when they are executed. Infected programs will have a
file length increase of 1,684 bytes with the virus
being located at the end of the file. The program's
date and time in the DOS disk directory listing will
not be altered. The following text strings are visible
within the viral code in all infected programs:
"Do you work with DOS"
"Do you like free memory"
"Do you like space on disk"
"YOUR SOLUTION IS"
"The Volkov Commander"
"You can drive it like Norton Commander 4.0"
"The SIZE of Volkov Commander is ONLY 62KB!"
"The VC brings many new functions!"
"All actions of VC are very quick!"
"The VC is ShareWare but"
"please"
"don''t make black copies, it's not fair."
Origin: Unknown April, 1994.
Zak2: Based on the Hellween virus described above, this variant's
size in memory is 2,608 bytes, hooking interrupt 21. Zak2
infects .COM and .EXE programs when they are executed, adding
1,839 bytes to the file's length. The program's date and time
in the DOS disk directory listing will not be altered, and the
virus will be located at the end of the file. The following
text string is encrypted within the Zak2 viral code:
"zak2"
Origin: Unknown May, 1993.