Virus
Virus Name: Hare
Aliases: Hare.7638
V Status: In The Wild
Discovered: July, 1996
Symptoms: .COM & .EXE growth; Master Boot Record Altered;
decrease in available free memory;
file date/time seconds = "34";
system hard disk corruption
Origin: New Zealand
Eff Length: 7,638 Bytes
Type Code: PRhXA - Parasitic Resident .COM, .EXE, MBR Infector
Detection Method: ChAV, ViruScan, NAVDX, NAV 3.10 9612+, AVTK 7.68+,
NShld 2.33+, AVTK/N 7.68+
Removal Instructions: Delete infected files & Replace MBR
General Comments:
The Hare or Hare.7638 virus was received in August, 1996, after
its isolation in New Zealand in July, 1996. Hare is a multi-
partite, encrypted fast infector of .COM and .EXE files, as well
as the system hard disk master boot record.
When the first Hare infected program is executed, this virus will
become memory resident at the top of system memory but below the
640K DOS boundary, not moving interrupt 12's return. Available
free memory, as indicated by the DOS CHKDSK program from DOS 5.0,
will have decreased by 8,736 bytes. Interrupt 21 will be hooked
by the virus in memory. Also at this time, the virus will infect
the system hard disk master boot record if it was not previously
infected by the virus.
Once the Hare virus is memory resident, it will infect .COM and
.EXE files, but not COMMAND.COM, when they are executed or copied.
Infected files will have a file length increase of 7,638 bytes
with the virus being located at the end of the file. The file's
date and time in the DOS disk directory listing will not appear
to be altered, though the seconds field will have been set to
"34". The following text strings are encrypted within the viral
code:
"INFECTUM.COM COMMAND.COMM COMMAND\SYSTEM\IOSUBSYS\HSFLOP.PDR"
""HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare..."
The Hare virus activates when it becomes memory resident on
August 22nd or September 22nd, at which time it will overwrite
all system hard disks and display the following message:
""HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare..."
Known variant(s) of Hare are:
Hare.7772: Received in August, 1996, this is a 7,772 byte
variant of the Hare virus described above. Its size in
memory is 8,880 bytes, hooking interrupt 21. It infects
the system hard disk master boot record, as well as .COM
and .EXE files, similar to the original virus. Infected
files will have a file length increase of 7,772 bytes with
the virus being located at the end of the file. The file's
date and time in the DOS disk directory listing will not
appear to be altered, though the seconds field will have been
set to '34'. This variant contains the following encrypted
text strings:
"INFECTUM.COM COMMAND.COMM COMMAND\SYSTEM\IOSUBSYS\HSFLOP.PDR"
""HDEuthanasia-v2" by Demon Emperor: Hare Krsna, hare, hare..."
Origin: New Zealand July, 1996.
Hare.7808: Received in August, 1996, this is a 7,808 byte
variant of the Hare virus described above. Its size in
memory is 8,912 bytes, hooking interrupt 21. It infects
the system hard disk master boot record, as well as .COM
and .EXE files, similar to the original virus. Infected
files will have a file length increase of 7,808 bytes with
the virus being located at the end of the file. The file's
date and time in the DOS disk directory listing will not
appear to be altered, though the seconds field will have been
set to '34'. This variant contains the following encrypted
text strings:
"HOSTA.COMEXE COMMAND.COME COMMAND\SYSTEM\IOSUBSYS\HSFLOP.PDR"
""HDEuthanasia-v3" by Demon Emperor: Hare Krsna, hare, hare..."
Origin: New Zealand July, 1996.