Threat Description

Ehhehe

Details

Aliases:HLLW.Ehhehe
Category: Malware
Type:
Platform: W32

Summary



This simple virus is written in BASIC.

The virus speads by adding a copy of itself to ZIP and ARJ archives as README.EXE file. When README.EXE is executed the virus searches for more ZIP and ARJ archives on the disk and writes a copy of itself to them.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The virus uses DOS commands 'DIR \*.ARJ /S /B >>ARJ.DAT' and 'DIR \*.ZIP /S /B >>ZIP.DAT' to create lists of ZIP and ARJ archives that are available on the hard disk. The virus uses archive names from these list files to create a command line for calling the archivers: for ARJ its: 'ARJ a <archive name> README.EXE>>NULL' and for PKZIP its: 'PKZIP <archive name> README.EXE>>NULL'. The virus will not infect archives if ARJ.EXE or PKZIP.EXE are not present.

To block output to the screen from ARJ and PKZIP the virus redirects screen output to NULL device. The ARJ.DAT and ZIP.DAT files are deleted before the virus returns control to the system by using DOS commands: 'DEL ARJ.DAT>>NULL' and 'DEL ZIP.DAT>>NULL'.

When README.EXE is run, it displays several messages on the screen like 'Decompressing video drivers' or 'Decompressing sound files' and a progress indicator. During that time the virus infects all available archives. When the virus returns control to the system it displays a message:

Eh He He He v1.0 (2)

The number in brackets could change.





Technical Details: Alexey Podrezov, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More