Classification

Category :

Malware

Type :

Virus

Aliases :

Hare, HDEuthanasia, Krsna, Krishna, RD Euthanasia

Summary

This is a resident stealth multipartite virus with antiheuristics and antiemulation tricks, encrypted with a slow polymorphic encryption layer.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Hare infects COM and EXE files, MBRs of hard drives and floppy boot sectors. Infected files and boot sectors are encrypted with a slowly changing polymorphic encryption layer. Infected files are marked by setting the seconds field of the time stamp to 34. Hare will not infect files starting with 'TB' or 'F-' or files which have the letter V in their name. This is done to avoid infecting antivirus program with a self-check routine.

When an infected file is run, the virus first infects the MBR of the hard drive and stays resident and is able to infect files (but not boot sectors). Hare attempts to bypass BIOS boot sector virus protection systems while infecting the MBR.

When the machine is rebooted, the virus will install itself to memory from the MBR and it starts to infect also floppy boot sectors during floppy access as well as COM and EXE files.

When resident, the virus occupies over 9kB of memory. Infected files will grow around 7-8kB in size, depending on the polymorphic decryptor. The polymorphic decryptor contains several conditional and unconditional jumps and several calls to do-nothing interrupts to confuse heuristics and emulation. Polymorphic encryption changes slowly, trying to make it difficult to create a large sample set with variable decryptors.

Hare will attempt to hide itself in files, but it will sometimes report the infected files to be little bigger or smaller than they originally were.

Hare is Windows 95 -aware: it will delete the floppy disk driver file to make itself capable of spreading to floppy disks used from Win95. After disinfecting Hare, you will need to reinstall the \WIN95\SYSTEM\IOSUBSYS\HSFLOP.PDR file from backups.

Hare activates when the machine is booted on the 22nd of August and 22nd of September. At this time it displays this text:

"HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare...
 

After this the virus attempts to overwrite the hard drive and A: and B: drives. This produces a 'Non-system disk' error, but the virus stays resident after the destruction is done - so it can still replicate if a boot floppy is inserted to start up the machine.

Hare was found in the wild in USA in May 1996 and it was apparently distributed over the internet, as infections were soon found from Canada, UK, Switzerland, Russia...in general, everywhere.

Variant:Hare.7750

This is a newer variant which has some bugs corrected. The text message in the virus has been changed to:

"HDEuthanasia-v2" by Demon Emperor: Hare, Krsna, hare, hare...

Otherwise the virus is like the original variant.

This variant was spread in faked posts in usenet news on 26th of June, 1996. Infected files included:

vpro46c.exe
in alt.cracks

 agent99e.exe in alt.cracks

 red_4.exe

in alt.sex

 pkzip300.exe in alt.comp.shareware 	

Variant:Hare.7786

The text message in this variant has been changed to:

"HDEuthanasia-v3" by Demon Emperor: Hare, Krsna, hare, hare...

This variant was spread in faked posts in usenet news on 29th of June, 1996. Infected files included:

agent99e.exe in alt.crackers

 lviewc.exe
 in alt.crackers 	

See: Fitw