Re: Virus

Summary:  

Stealth Virus. Hard disks of infected machines will be 
unrecognized if you boot from a clean floppy ("invalid drive 
specification."), but will seem to work fine if the virus is 
resident from a floppy boot, or if you boot from the infected 
hard disk. On August 22 and September 22, the virus displays 
the message: 

     "HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare...

While the message is displayed on either of these dates, all 
hard disks in the machine are being overwritten.


Characteristics:

Krsna infects COM and EXE files, MBRs of hard drives and floppy 
boot sectors. Infected files and boot sectors are encrypted 
with a slowly changing polymorphic encryption layer. Infected 
files are marked by setting the seconds field of the time stamp 
to 34. Krnsa will not infect files starting with 'TB' or 'F-'. 

When an infected file is run, the virus first infects the MBR 
of the hard drive. When the machine is rebooted, the virus will 
install itself to memory from the MBR and it starts to infect 
also floppy boot sectors during floppy access as well as COM 
and EXE files. 

When resident, the virus occupies over 9kB of memory. Infected 
files will grow around 7600-7800 bytes in size, depending on 
the polymorphic decryptor. The polymorphic decryptor contains 
several conditional and unconditional jumps and several calls 
to do-nothing interrupts to confuse heuristics and emulation. 
Polymorphic encryption changes slowly, trying to make it 
difficult to create a large sample set with variable 
decryptors. 

Krsna will attempt to hide itself in files, but it will 
sometimes report the infected files to be little bigger or 
smaller than they originally were. 

Krsna is Windows 95 -aware: it will delete the floppy disk 
driver file to make make itself capable of spreading to floppy 
disks used from Win95. 

Krsna activates when the machine is booted on the 22nd of 
August and 22nd of September. At this time it displays this 
text: 

        "HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare... 

After this the virus attempts to overwrite the hard drive and 
A: and B: drives. This produces a 'Non-system disk' error, but 
the virus stays resident after the destruction is done - so it 
can still replicate if a boot floppy is inserted to start up 
the machine. 

Krsna was found in the wild in USA in May 1996 and it was 
apparently distributed over the internet, as infections were 
soon found from Canada, UK, Switzerland, Russia and The 
Netherlands. 

Hare.7750 a variant of Hare.7610, displays the following message:

"HDEuthanasia-v2' by Demon Emperor: Hare Krsna, hare, hare"

This is a newer variant which has some bugs corrected. 
Otherwise the virus is like the original variant. 

This variant was spread in faked posts in usenet news on 26th 
and 29th of June, 1996. Infected files included: 

vpro46c.exe in alt.cracks agent99e.exe in alt.cracks agent99e.exe 
in alt.crackers lviewc.exe in alt.crackers red_4.exe 
in alt.sex pkzip300.exe in alt.comp.shareware 

Hare.7786 another variant of Hare.7610, displays the following message:

"HDEuthanasia-v3' by Demon Emperor: Hare Krsna, hare, hare"

In addition to the above message, the payload of Hare.7610 
results in an overwrite of the system hard disks. The data 
contained on the hard disks is destroyed during this process. 


Infection Method:

Multi-partite viruses have two main routes of infection; either 
as a Master Boot Record/Boot Sector Virus or as a File 
Infecting Virus. 

Most infections occur when a computer attempts to boot from an 
infected floppy diskette. The boot sector of the diskette has 
the code to determine if the diskette is bootable, and to 
display the "Non-system disk or disk error" message. It is this 
code that harbors the infection. By the time the non-system 
disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR 
and may become memory resident. With every subsequent boot, the 
virus will be loaded into memory and will attempt to infect 
floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file 
through a multitude of sources including: floppy diskettes, 
downloads through an online service, network, modem 
connections, etc. Once the infected file is executed, the virus 
may activate. 


Removal:

Run McAffee's VirusScan or Dr. Solomon's FindVirus from a 
clean, virus-free environment (ie. startup diskette)


Prevention:

Scan all files and diskettes before using them to minimize the 
risk of infection. 


Virus Information:

Found		July, 1996
Origin		Europe
Length		7610 Bytes
Type		This is a resident stealth multipartite virus 
	with antiheuristics and antiemulation tricks, encrypted with a 
	slow polymorphic encryption layer. 

Prevalence	Common, increasingly widespread. Has been 
	reported in United States, Canada, the United Kingdom, 
	Switzerland, Russia.
Author		Demon Emperor
Variants	Hare.7750
		Hare.7786

Aliases		Krsna
		HDEuthanasia