Hellween Virus


 Virus Name:  Hellween 
 Aliases:     1376 
 V Status:    Rare 
 Discovery:   February, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory 
 Origin:      Unknown 
 Eff Length:  1,376 Bytes 
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, Sweep, NAV, PCScan, 
                    IBMAV, NAVDX, VAlert, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Hellween virus was submitted in February, 1992.  Its origin or 
       point of isolation are unknown.  Hellween is a memory resident 
       infector of .COM and .EXE programs, but does not infect COMMAND.COM. 
 
       The first time a program infected with Hellween is executed, the 
       Hellween virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Interrupt 12's 
       return will not have been moved.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will have decreased 
       by 1,904 bytes.  Interrupt 21 will be hooked by the virus. 
 
       Once the Hellween virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed.  Infected programs will have 
       a file length increase of 1,376 bytes.  The virus will be located 
       at the end of the infected file.  The program's date and time in 
       the DOS disk directory listing will not be altered. 
 
       The following text string is encrypted within the Hellween virus 
       viral code, and are not visible in infected programs: 
 
               "HELLWEEN???!!" 
 
       It is unknown what Hellween does besides replicate. 
 
       Known variant(s) of Hellween are: 
       Hellween-1182: Based on the Hellween virus described above, 
                      this variant's size in memory is 1,696 bytes.  It 
                      hooks interrupts 08, 13, and 21.  Like Hellween, 
                      it infects .COM and .EXE programs when they are 
                      executed.  Infected programs will have a file 
                      length increase of 1,182 bytes with the virus being 
                      located at the end of the file.  The program's date 
                      and time in the DOS disk directory listing will not 
                      be altered.  It does not contain the "HELLWEEN" 
                      encrypted text string. 
                      Origin:  Unknown  July, 1992. 
       Hellween.1684: Based on the Hellween virus described above, 
                      this variant's size in memory is 2,208 bytes.  It 
                      hooks interrupts 08 and 21.  It infects .EXE programs 
                      when they are executed.  Infected programs will have a 
                      file length increase of 1,684 bytes with the virus 
                      being located at the end of the file.  The program's 
                      date and time in the DOS disk directory listing will 
                      not be altered.  The following text strings are visible 
                      within the viral code in all infected programs: 
                      "Do you work with DOS" 
                      "Do you like free memory" 
                      "Do you like space on disk" 
                      "YOUR    SOLUTION    IS" 
                      "The Volkov Commander" 
                      "You can drive it like Norton Commander 4.0" 
                      "The SIZE of Volkov Commander is ONLY 62KB!" 
                      "The VC brings many new functions!" 
                      "All actions of VC are very quick!" 
                      "The VC is ShareWare but" 
                      "please" 
                      "don''t make black copies, it's not fair." 
                      Origin:  Unknown  April, 1994. 
       Zak2: Based on the Hellween virus described above, this variant's 
             size in memory is 2,608 bytes, hooking interrupt 21.  Zak2 
             infects .COM and .EXE programs when they are executed, adding 
             1,839 bytes to the file's length.  The program's date and time 
             in the DOS disk directory listing will not be altered, and the 
             virus will be located at the end of the file.  The following 
             text string is encrypted within the Zak2 viral code: 
             "zak2" 
             Origin:  Unknown  May, 1993. 

Show viruses from discovered during that infect .

Main Page