Virus Name: Haifa
V Status: Common
Discovered: September, 1991
Symptoms: .COM file growth; TSR; system hangs
Eff Length: 2,351 - 2,372 Bytes
Type Code: PRsAK - Resident Parasitic .COM &.EXE Infector
Detection Method: ViruScan, NAV, AVTK, Sweep, F-Prot,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N
Removal Instructions: Delete infected files
The Haifa virus was discovered in Israel in September, 1991. Haifa
is a memory resident infector of .COM and .EXE files, including
The first time a program infected with Haifa is executed on a system,
Haifa will install itself memory resident as a low system memory TSR
of 2,512 bytes. Interrupts 09 and 21 will be hooked by the Haifa
virus' TSR. At this time, the program pointed to by the COMSPEC
environmental variable will be infected, as well as the copy of
COMMAND.COM located in the C: drive root directory. On 386 systems,
a system hang will then occur. This system hang usually does not
occur on 8088 processor based systems.
After Haifa is memory resident it will infect the first two uninfected
programs in the current directory each time a program is executed.
Infected programs increase in size by 2,351 to 2,372 bytes with the
virus being located at the end of the infected file. There will be
change to the file's date and time in the DOS disk directory.
Haifa employs a complex encryption mechanism to complicate
disassembly of the virus and determination of scan identification
strings. This encryption mechanism also results in copies of the
same program having different lengths after infection, such as
duplicate copies of COMMAND.COM located on C: and A: will have
different lengths after infection.
The Haifa virus adds the following two lines of ASCII text to the
end of .DOC files which are opened when the virus is memory
resident. These two lines are encrypted within the virus and not
visible in infected programs:
"OOPS! Hope I didn't ruin anything!!!
Well, nobody reads these stupied DOCS anyway!"
Known variant(s) of Haifa are:
Mozkin: Discovered in Israel in May, 1992, Mozkin is based on
the Haifa virus, though the encryption has been altered so
that programs that can recognize Haifa may not be able to
detect Mozkin. On 80286 based systems, execution of a
Mozkin infected program will result in the infection of
COMMAND.COM and the following message being displayed:
LOCAL PROCESS INDUSTRY.
VIRUS DONE BY:
HOW TO MANAGE SHEEP?
Thanks for using Turbo Anti Virus.
PLEASE JMP FE00:0"
Once this message is displayed the system will be hung.
On 8088 based systems, Mozkin will become memory resident
in low available system memory when the first infected
program is executed, hooking interrupt 21. After becoming
memory resident, it will infect .COM and .EXE programs
when they are executed or opened. Infected programs will
increase in length by 2,358 to 2,373 bytes with the virus
being located at the end of the infected file.