Hare Krishna virus expected to strike today

A PC virus first reported in New Zealand in July is due to activate either today or on Saturday, overwriting the hard disks of infected machines.

A PC virus first reported in New Zealand in July is due to activate either today or on Saturday. The Hare Krishna virus is so called because when active it shows the message ""HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare ... " on screen. More damagingly, however, it then overwrites all the hard disks on the system, destroying all the data.

The virus has spread quickly from New Zealand; within weeks of its discovery here it has been reported in the United States, Canada, United Kingdom, Switzerland, South Africa and Russia.

It was not written in New Zealand, however, according to Victorial University virus expert Jim Baltaxe. He says it was brought in on software from overseas and went undetected by several products that claim to be able to protect against all new and unknown viruses.

Baltaxe says Hare is expected to come to life again on September 22 and possibly on the 22nd day of each month thereafter. It has already spawned two variations so that there is now a "Hare family" of viruses. It's most common name is Hare.7610 but it is also known as Euthanasia, HDEuthanasia, Krsna and "the hippy virus".

The Hare virus is a PC-only multipartite virus that is resident in memory and infects .COM and .EXE files on execution as well as the master boot record (MBR) and floppy boot sectors. "Hare is a relatively new virus and it won't just display a message screen-- it will destroy information, so it is a rather nasty little program. Baltaxe says it is not a fast spreader but is "quite complicated".

Antivirus software publishers Norton Antivirus, Dr Solomon and F-Prot, among others, have posted detection and repair downloads for the virus on their Web sites.

Baltaxe says the F-Prot product, F-Hare, is available for download at the Victoria University web site, ftp://ftp.vuw.ac.nz/pub/antivirus/ms-dos/F-HARE15.ZIP.

Hare is "in the wild", spreading through newsgroups, exchanged files and floppy disks (as opposed to "in the zoo", when viruses have been eliminated from the general computer population and are kept only in antivirus labs for study), but it is not as common as other viruses, with few incidents of Hare infection having been reported.

It is unusual in that it can generate a large set of instructions when it first infects the system and doesn't generate a different decryptor from infection to infection, as do most polymorphic viruses. It isn't known whether the virus writer designed it to operate this way or whether it is a bug in the virus.

Infected files grow in size by 7630 bytes to 7800 bytes. The partition table in the master boot record is overwritten by the virus and the hard disk is inaccessible by DOS when rebooted from a clean system disk. Access is as normal when booted from the hard disk, however.

The AVP virus encyclopaedia says that while opening an infected EXE file the virus disinfects it. When the virus infects a file, it checks the file name and does not infect the files which contain:

TB*.*, F-*.*, IV*.*, CH*.*, COMMAND*.*

The virus also does not infect the file if the letter V appears in its name.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]