MadSci Network: Computer Science |
Summary: Stealth Virus. Hard disks of infected machines will be unrecognized if you boot from a clean floppy ("invalid drive specification."), but will seem to work fine if the virus is resident from a floppy boot, or if you boot from the infected hard disk. On August 22 and September 22, the virus displays the message: "HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare... While the message is displayed on either of these dates, all hard disks in the machine are being overwritten. Characteristics: Krsna infects COM and EXE files, MBRs of hard drives and floppy boot sectors. Infected files and boot sectors are encrypted with a slowly changing polymorphic encryption layer. Infected files are marked by setting the seconds field of the time stamp to 34. Krnsa will not infect files starting with 'TB' or 'F-'. When an infected file is run, the virus first infects the MBR of the hard drive. When the machine is rebooted, the virus will install itself to memory from the MBR and it starts to infect also floppy boot sectors during floppy access as well as COM and EXE files. When resident, the virus occupies over 9kB of memory. Infected files will grow around 7600-7800 bytes in size, depending on the polymorphic decryptor. The polymorphic decryptor contains several conditional and unconditional jumps and several calls to do-nothing interrupts to confuse heuristics and emulation. Polymorphic encryption changes slowly, trying to make it difficult to create a large sample set with variable decryptors. Krsna will attempt to hide itself in files, but it will sometimes report the infected files to be little bigger or smaller than they originally were. Krsna is Windows 95 -aware: it will delete the floppy disk driver file to make make itself capable of spreading to floppy disks used from Win95. Krsna activates when the machine is booted on the 22nd of August and 22nd of September. At this time it displays this text: "HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare... After this the virus attempts to overwrite the hard drive and A: and B: drives. This produces a 'Non-system disk' error, but the virus stays resident after the destruction is done - so it can still replicate if a boot floppy is inserted to start up the machine. Krsna was found in the wild in USA in May 1996 and it was apparently distributed over the internet, as infections were soon found from Canada, UK, Switzerland, Russia and The Netherlands. Hare.7750 a variant of Hare.7610, displays the following message: "HDEuthanasia-v2' by Demon Emperor: Hare Krsna, hare, hare" This is a newer variant which has some bugs corrected. Otherwise the virus is like the original variant. This variant was spread in faked posts in usenet news on 26th and 29th of June, 1996. Infected files included: vpro46c.exe in alt.cracks agent99e.exe in alt.cracks agent99e.exe in alt.crackers lviewc.exe in alt.crackers red_4.exe in alt.sex pkzip300.exe in alt.comp.shareware Hare.7786 another variant of Hare.7610, displays the following message: "HDEuthanasia-v3' by Demon Emperor: Hare Krsna, hare, hare" In addition to the above message, the payload of Hare.7610 results in an overwrite of the system hard disks. The data contained on the hard disks is destroyed during this process. Infection Method: Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus. Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine. The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate. Removal: Run McAffee's VirusScan or Dr. Solomon's FindVirus from a clean, virus-free environment (ie. startup diskette) Prevention: Scan all files and diskettes before using them to minimize the risk of infection. Virus Information: Found July, 1996 Origin Europe Length 7610 Bytes Type This is a resident stealth multipartite virus with antiheuristics and antiemulation tricks, encrypted with a slow polymorphic encryption layer. Prevalence Common, increasingly widespread. Has been reported in United States, Canada, the United Kingdom, Switzerland, Russia. Author Demon Emperor Variants Hare.7750 Hare.7786 Aliases Krsna HDEuthanasia