Threat Description

HDKiller

Details

Aliases: HDKiller
Category: Malware
Type: Virus
Platform: W32

Summary



HDKiller is a relatively simple virus which infects diskette boot sectors and hard disk MBRs. The virus was discovered in Spain in November 1994.



Removal



This virus can also be disinfected manually by cold-booting the infected machine from a boot diskette with MS-DOS 5 or 6. The FDISK utility should be copied to the boot diskette beforehand.

After booting the machine, test that all hard disk partitions are visible with with DIR command. If you receive an error message like "Invalid drive specification", do not try to use FDISK to remove the virus.

If all partitions can be seen then the command FDISK /MBR will overwrite the virus in the master boot record.

After a succesful disinfection the machine can be booted normally again. Floppy disks can be disinfected manually by SYSing them on a clean machine.



Technical Details



HDKiller, which is also known as Coruaa, spreads itself like any other boot sector virus.

If a computer is booted from an infected diskette, the virus redirects the boot to the hard disk and the 'Non-system disk' error message is not shown. This makes the virus harder to spot than usual.

When a computer is booted from a diskette infected by the HDKiller virus, the virus reserves one kilobyte of memory for itself. However, when the computer is next booted from the infected hard disk, the amount of available memory stays normal. This is due to a programming error in the viruses code; the virus loads itself to the top of conventional memory, but does not mark this memory area as reserved. As a consequence, other programs may try to write to the same area. If this happens, the computer crashes immediately. Therefore, a HDKiller infection makes a computer very unstable.

HDKiller is a destructive virus. When it infects a hard disk, it stores the current date inside its own code. During subsequent boots, it compares the infection date to the system's date and activates after a month has passed. If, for example, the infection has occurred on 15th of January, the virus activates on the 14th of any month. When the virus activates, it overwrites some of the data on the hard disk.

HDKiller contains the following unencrypted text:

HDKiller By Rasek.
        0UT Meilan!

HDKiller does not store the original boot sector when it infects a disk. Instead, the functionalities of a diskette boot sector and a hard disk MBR have been incorporated into the viruse's code. In spite of this, the HDKiller virus can be removed by overwriting its code because it does not move or encrypt the partition table.





Description Created: Mikko Hypponen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More