Hero Virus

Virus Name: Hero Aliases: Hero-506 V Status: Rare Discovered: May, 1991 Symptoms: .COM & .EXE growth; system hangs; program corruption Origin: Italy Eff Length: 506 Bytes Type Code: PRA - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, ViruScan, Sweep, AVTK, NAV, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Hero virus was received in May, 1991. Its origin is believed to be Italy. Hero is a memory resident generic infector of .COM and .EXE programs, including COMMAND.COM. When the first Hero infected program is executed, Hero will become memory resident. After it is memory resident, it will infect programs when they are executed. The system will usually be hung once the program the user was attempting to execute is infected. Programs infected with Hero will increase in length. .COM programs will have a file size increase of 506 bytes. .EXE programs will increase in size by 506 to 509 bytes. The marker of infection in all infected programs is 24 hex FF (h'FF') characters at the beginning of the infected program. These characters overwrite the original first 24 bytes of the program, permanently damaging the host program. Hero is not a viable virus due to the bugs within its code, and is a very poor replicator since each infection results in a system hang. Known variant(s) of Hero are: Hero-506B: Based on the Hero virus described above, this variant has had some of the programming errors in the virus corrected. It no longer hangs the system when programs are executed. Infected programs will have increased in size by 509 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time. Origin: Unknown November, 1992. See: Hero-394