Naughty Hacker Virus
Virus Name: Naughty Hacker
Aliases: Naughty Hacker Family, Horse
V Status: Rare
Discovered: April, 1991
Symptoms: .COM & .EXE growth; decrease in total system & available
memory; file allocation errors; buzzing from system speaker
& clicking
Origin: Sofia, Bulgaria
Eff Length: 1,154 or 1,160 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Naughty Hacker is a group of four viruses which were
submitted in April 1991. Several additional variants were received
in May, 1991. The viruses in this family are all stealth-type
viruses, and functionally are very similar.
When a program infected with one of the Naughty Hacker viruses is
executed, the virus will install itself memory resident at the top
of system memory but below the 640K DOS boundary. Interrupts 01
and 21 will be hooked by the virus. Total system and available
free memory, as measured with the DOS CHKDSK program, will decrease
by 1,280 bytes. At this time, the virus will also infect
COMMAND.COM if it hasn't previously been infected.
After a Naughty Hacker virus is memory resident, it will infect
.COM and .EXE files over 1K in length when they are executed
or opened. Infected programs will increase by either 1,154 or 1,160
bytes, depending on which variant is present, with the virus being
located at the end of the infected program. The file length
increase will not be able to be seen if the virus is memory
resident. The program's date and time in the disk directory will
not be altered.
Systems infected with one of the Naughty Hacker viruses may
find file allocation errors when they execute the DOS CHKDSK
program. These errors occur when the virus is memory resident as
the adjusted directory information will not match the file
allocation table. Executing the CHKDSK program with a /F option may
result in corrupted programs.
Another symptom which may be noticed on infected systems is an
annoying "buzz" being emitted from the system speaker after the
virus has been resident for awhile. When this occurs, scrolling of
the display or pressing keys on the keyboard will also result in a
clicking noise. These sound effects occur with some members of this
family, but not the later variants.
It is unknown what the Naughty Hacker viruses do besides replicate.
Known Naughty Hacker viruses are:
Horse: Very similar to Naughty Hacker-B, Horse is a minor variation.
Like Naughty Hacker-B, it is 1,154 bytes in length and
produces the sound effects indicated above. The text string
in this variant is: "Sofia,1991 (c) Naughty Hacker."
Horse 2: Horse 2 is very similar to Naughty Hacker-A. It is 1,160
bytes in length, and produces no sound effects. The text
string in this variant is: "Sofia,Feb '91 Naughty Hacker."
Horse 5: Horse 5 is very similar to Naughty Hacker-D below, it
is a 1,776 byte variant which has three bytes changed from
Naughty Hacker-D.
Horse-8: Received in April, 1992, Horse-8 is a 2,248 byte
member of the Naughty Hacker family. It installs itself
memory resident in the DOS Data area of memory, hooking
interrupt 21. Total system and available free memory as
indicated by the DOS CHKDSK program will not be altered.
Once memory resident, Horse-8 infects .COM and .EXE
programs larger than approximately 10K when they are
opened for a reason other than execution. The virus
hides the 2,248 byte file length increase, and the DOS
CHKDSK program will return file allocation errors on
infected files other than COMMAND.COM when Horse-8 is
memory resident.
Origin: Unknown April, 1992.
Horse-8B: Received in December, 1992, Horse-8B is a minor
variant of the Horse-8 virus. Its memory resident TSR
is 4,864 bytes and hooks interrupt 21. Infected files
will have the seconds field in the file date/time set to
"60".
Origin: Unknown December, 1992.
Naughty Hacker-A: With an effective length of 1,160 bytes, this
variant does not produce the sound effects of
Naughty Hacker-B. The text string "Sofia, Feb
'91 Naughty Hacker" can be found at the end of
infected files.
Naughty Hacker-B: With an effective length of 1,154 bytes, this
variant produces the sound effects described
above. It contains the text strings "Sofia,Jan
1991" and "(c) Naughty Hacker." It appears to be
an earlier version of Naughty Hacker-A.
Naughty Hacker-C: With an effective length of 1,610 bytes, this
variant of Naughty Hacker decreases total system
and available free memory by 2,048 bytes. It is
unknown when it activates, or what it does.
Infected files will contain the text string:
"Naughty Hacker".
Naughty Hacker-D: With an effective length of 1,776 bytes, this
variant is similar to Naughty Hacker-C. It does
not contain any text strings. Interrupts 01, 1C,
and 21 will be hooked when this variant is
memory resident.
Naughty Hacker-E: With an effective length of 1,576 bytes, the
Naughty Hacker-E variant is similar to the Naughty
Hacker-D variant, though it does not hook
interrupt 1C. Like Naughty Hacker-D, it does not
contain any text strings.
Naughty Hacker-F: Naughty Hacker-F is a 1,594 byte variant which
is similar to Naughty Hacker-C. The text in this
variant is "N.Hacker".
Naughty Hacker-G: Naughty Hacker-G is another 1,154 byte variant
of this family. It is functionally similar to
Naughty Hacker-B, with some code modifications.
The text strings found in this variant are:
"Sofia,Jan/Feb 1991 (c) Naughty Hacker".