F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Hare





NAME:Hare
ALIAS:HDEuthanasia, Krsna, Krishna, RD Euthanasia
TYPE:Resident MBR Boot sectors Stealth COM/EXE-files
ORIGIN:Slovenia

This is a resident stealth multipartite virus with antiheuristics and antiemulation tricks, encrypted with a slow polymorphic encryption layer.

Hare infects COM and EXE files, MBRs of hard drives and floppy boot sectors. Infected files and boot sectors are encrypted with a slowly changing polymorphic encryption layer. Infected files are marked by setting the seconds field of the time stamp to 34. Hare will not infect files starting with 'TB' or 'F-' or files which have the letter V in their name. This is done to avoid infecting antivirus program with a self-check routine.

When an infected file is run, the virus first infects the MBR of the hard drive and stays resident and is able to infect files (but not boot sectors). Hare attempts to bypass BIOS boot sector virus protection systems while infecting the MBR.

When the machine is rebooted, the virus will install itself to memory from the MBR and it starts to infect also floppy boot sectors during floppy access as well as COM and EXE files.

When resident, the virus occupies over 9kB of memory. Infected files will grow around 7-8kB in size, depending on the polymorphic decryptor. The polymorphic decryptor contains several conditional and unconditional jumps and several calls to do-nothing interrupts to confuse heuristics and emulation. Polymorphic encryption changes slowly, trying to make it difficult to create a large sample set with variable decryptors.

Hare will attempt to hide itself in files, but it will sometimes report the infected files to be little bigger or smaller than they originally were.

Hare is Windows 95 -aware: it will delete the floppy disk driver file to make itself capable of spreading to floppy disks used from Win95. After disinfecting Hare, you will need to reinstall the \WIN95\SYSTEM\IOSUBSYS\HSFLOP.PDR file from backups.

Hare activates when the machine is booted on the 22nd of August and 22nd of September. At this time it displays this text: 

        "HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare...

After this the virus attempts to overwrite the hard drive and A: and B: drives. This produces a 'Non-system disk' error, but the virus stays resident after the destruction is done - so it can still replicate if a boot floppy is inserted to start up the machine.

Hare was found in the wild in USA in May 1996 and it was apparently distributed over the internet, as infections were soon found from Canada, UK, Switzerland, Russia...in general, everywhere.

VARIANT:Hare.7750

This is a newer variant which has some bugs corrected. The text message in the virus has been changed to: 

        "HDEuthanasia-v2" by Demon Emperor: Hare, Krsna, hare, hare...

Otherwise the virus is like the original variant.

This variant was spread in faked posts in usenet news on 26th of June, 1996. Infected files included: 

    vpro46c.exe  in alt.cracks
    agent99e.exe in alt.cracks
    red_4.exe    in alt.sex
    pkzip300.exe in alt.comp.shareware

VARIANT:Hare.7786

The text message in this variant has been changed to: 

        "HDEuthanasia-v3" by Demon Emperor: Hare, Krsna, hare, hare...

This variant was spread in faked posts in usenet news on 29th of June, 1996. Infected files included: 

    agent99e.exe in alt.crackers
    lviewc.exe   in alt.crackers

See: Fitw

[Analysis: Mikko Hypponen, F-Secure]