| Description:
|
Details
Hare.7786
This is a very dangerous memory resident multipartite stealth and polymorphic virus. It infects COM and EXE files as well as the MBR of the hard drive and boot sectors of the floppy disks. In files, the virus is encrypted three times. In infected sectors, the virus is polymorphic as well as in the infected files.
Installing and Infecting
When an infected file is executed, the virus decrypts itself, infects the hard drive MBR, traces and hooks INT 21h, and returns to the host program. Then the virus writes itself to the end of COM and EXE files that are executed, closed or on DOS calls Terminate (AH=0,31h,4Ch). Under Win95, the virus also hooks INT 13h.
While opening an infected EXE file, the virus disinfects it. When the virus infects a file, it checks the file name and does not infect the follwoing files:
TB*.*
F-*.*
IV*.*
CH*.*
COMMAND*.*
The virus also does not infect the file if there is the letter 'V' in its name.
While loading from the infected boot sector of the floppy disk, the virus just infects the MBR, returns control to the host sector, and does not stay memory resident.
While infecting the hard drive, the virus traces INT 13h or uses direct calls to the HD ports, then it writes itself to the MBR sector, and the rest of code written to the last available track in the hard drive (the track that is out of declared tracks - LandZone?).
When the virus stores and overwrites the original Disk Partition Table, as a result the FDISK/MBR command may crash the hard drive. While loading from an infected MBR, the virus restores Disk Partition Table to allow DOS to load the active boot sector and calculate the disk information (at this moment, the virus' INT 13h stealth routine is not active), then it decreases the size of the system memory for its TSR copy (the word at the address 0000:0413), hooks INT 1Ch and returns the control to original MBR.
By hooking INT 1Ch, the virus waits for the DOS loading procedure, then restores the size of the system memory, hooks INT 13h, 21h, an 28h. Upon the first INT 28h call, the virus again corrupts the Disk Partition Table. There is no reason for such a complex procedure of installation into the system, other than only to fool the anti-virus hardware and software, if it is installed.
By hooking INT 13h, the virus intercepts access to floppy disks, and infects them. While infecting, the virus formats an extra track on the disk, and writes its code there. It also calls a stealth routine while accessing infected disks.
Features
While executing an infected file, the virus also searches for "WIN=" string in the environment area, and deletes the SYSTEMIOSUBSYSHSFLOP.PDR file in the Windows directory.
While installing memory-resident, the virus checks the system date, and on the 22nd of August and September, it erases the hard drive sectors, and depending on its version, displays the following message:
"HDEuthanasia-v3" by Demon Emperor: Hare Krsna, hare, hareall
While infecting the MBR, the virus performs some strange manipulation with the keyboard: it hooks INT 16h, checks the keys that are entered, and sometimes substitutes them with 'Y" or 'N' keys. It appears as though the virus tries to fool BIOS anti-virus features, and answer "Yes, Infect it!" on the standard request while writing to the MBR of the hard drive.
The virus uses quite a strange way to run its polymorphic routines. While infecting a computer, the virus generates a block of random data and saves it to the last sectors of the hard drive. Then the virus does not correct these random data in any way (see note below). It restores that data (reads from the sector) while loading from infected the MBR or while executing an infected file. While re-infecting the disk (if it has been disinfected), the virus detects these data in the last sector, and does not renew them.
While infecting a file or a sector, the virus uses that data as a random generator to select the opcodes and keys for its polymorphic routines - in all cases, the polymorphic routine gets the same data, and produces the same code when the virus infects any object.
As a result, all polymorphic decryption loops contain the same code in all infected files that were infected on the same computer. All such files are encrypted by the same code and with the same keys. The length of the files grows on random value while infecting (VirusLength plus the length of polymorphic decryption loop), but that value is constant for all files on the same computer. And the same for infected floppy disks - all they contain the same polymorphic code in their boot sectors.
As a result, all files and sectors that have been infected on the computer have the constant mask to detect them with anti-virus utilities. Is it directed against anti-virus researchers, or just to fool users and hide the infected file/floppy-guest that caused infection?
Note: the major versions of this virus, while loading from an infected disk with the probability of 1/16, change the random data in last disk sectors, and as a result, infect the files and boot sectors with different polymorphic code. |
