Hare Virus


 Virus Name:  Hare 
 Aliases:     Hare.7638 
 V Status:    In The Wild 
 Discovered:  July, 1996 
 Symptoms:    .COM & .EXE growth; Master Boot Record Altered; 
              decrease in available free memory; 
              file date/time seconds = "34"; 
              system hard disk corruption 
 Origin:      New Zealand 
 Eff Length:  7,638 Bytes 
 Type Code:   PRhXA - Parasitic Resident .COM, .EXE, MBR Infector 
 Detection Method: ChAV, ViruScan, NAVDX, NAV 3.10 9612+, AVTK 7.68+, 
                   NShld 2.33+, AVTK/N 7.68+ 
 Removal Instructions:  Delete infected files & Replace MBR 
 
 General Comments: 
       The Hare or Hare.7638 virus was received in August, 1996, after 
       its isolation in New Zealand in July, 1996.  Hare is a multi- 
       partite, encrypted fast infector of .COM and .EXE files, as well 
       as the system hard disk master boot record. 
 
       When the first Hare infected program is executed, this virus will 
       become memory resident at the top of system memory but below the 
       640K DOS boundary, not moving interrupt 12's return.  Available 
       free memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
       will have decreased by 8,736 bytes.  Interrupt 21 will be hooked 
       by the virus in memory.  Also at this time, the virus will infect 
       the system hard disk master boot record if it was not previously 
       infected by the virus. 
 
       Once the Hare virus is memory resident, it will infect .COM and 
       .EXE files, but not COMMAND.COM, when they are executed or copied. 
       Infected files will have a file length increase of 7,638 bytes 
       with the virus being located at the end of the file.  The file's 
       date and time in the DOS disk directory listing will not appear 
       to be altered, though the seconds field will have been set to 
       "34".  The following text strings are encrypted within the viral 
       code: 
 
           "INFECTUM.COM COMMAND.COMM COMMAND\SYSTEM\IOSUBSYS\HSFLOP.PDR" 
           ""HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare..." 
 
       The Hare virus activates when it becomes memory resident on 
       August 22nd or September 22nd, at which time it will overwrite 
       all system hard disks and display the following message: 
 
           ""HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare..." 
 
       Known variant(s) of Hare are: 
       Hare.7772: Received in August, 1996, this is a 7,772 byte 
           variant of the Hare virus described above.  Its size in 
           memory is 8,880 bytes, hooking interrupt 21.  It infects 
           the system hard disk master boot record, as well as .COM 
           and .EXE files, similar to the original virus.  Infected 
           files will have a file length increase of 7,772 bytes with 
           the virus being located at the end of the file.  The file's 
           date and time in the DOS disk directory listing will not 
           appear to be altered, though the seconds field will have been 
           set to '34'.  This variant contains the following encrypted 
           text strings: 
           "INFECTUM.COM COMMAND.COMM COMMAND\SYSTEM\IOSUBSYS\HSFLOP.PDR" 
           ""HDEuthanasia-v2" by Demon Emperor: Hare Krsna, hare, hare..." 
           Origin:  New Zealand  July, 1996. 
       Hare.7808: Received in August, 1996, this is a 7,808 byte 
           variant of the Hare virus described above.  Its size in 
           memory is 8,912 bytes, hooking interrupt 21.  It infects 
           the system hard disk master boot record, as well as .COM 
           and .EXE files, similar to the original virus.  Infected 
           files will have a file length increase of 7,808 bytes with 
           the virus being located at the end of the file.  The file's 
           date and time in the DOS disk directory listing will not 
           appear to be altered, though the seconds field will have been 
           set to '34'.  This variant contains the following encrypted 
           text strings: 
           "HOSTA.COMEXE COMMAND.COME COMMAND\SYSTEM\IOSUBSYS\HSFLOP.PDR" 
           ""HDEuthanasia-v3" by Demon Emperor: Hare Krsna, hare, hare..." 
           Origin:  New Zealand  July, 1996. 

Show viruses from discovered during that infect .

Main Page