HLLO is a family name - all overwriting viruses written in High
Level Languages, such as Pascal, C, C++ or Basic, have been grouped
under this name. There are several members, including the following
viruses: HLLO.3521, HLLO.4032, HLLO.4096, HLLO.4340, HLLO.4372,
HLLO.4778, HLLO.4870.A, HLLO.4870.B, HLLO.Ondra, HLLO.Cvirus 1.9,
HLLO.Cvirus 2.0, HLLO.DisDev, HLLO.Harakiri, HLLO.17690.
Members of the HLLO family are rarely seen in the wild, but the chance
of a false alarm is bigger than with viruses written in assembly
language - this is because it is more difficult to find a distinct
search string for these viruses.
HLLO.Novademo is a non-resident overwriting virus written with a
high-level language, probably with Turbo Pascal 4.0. It has been packed
with PKLITE 1.15, and it spreads in packed form.
This virus was originally found in Finland in March 1994, and it
seems to be of Finnish origin. It was initially spreaded via BBS
systems, in a file called NOVADEMO.ZIP. This archive was described
with the following FILE_ID.DIZ file:
Nova Demo
New group presents new demo called NOVA now
with GUS, SB Pro, SB, PAS and Aria support!
This most parts of this demo are in SVGA
mode! And effects are as fast as usually!
This is state of art programming!
HLLO.Dangorous_Messanger infects files in the current directory and
in directory \DOS, if such exists. It does some preliminary checking
before infecting a file, and will not infect files which are
smaller than approximately 12000 bytes.
When an infected program is executed, the virus starts to search
for suitable EXE-files in the \DOS directory of current drive.
If no suitable files are found, the virus will search for victims
in the current directory.
Once the virus has found an appropriate file for infection, it will
overwrite the first 12288 bytes of the victim file with the virus
code. The actual code part of the virus takes up 8192 bytes, the
rest 4096 bytes are just random filler bytes. Virus infects up to
three files during one execution. The virus does not change the
date and time stamps of the files it infects. Files are irreparably
damaged by this infection process, and they need to be replaced
with clean copies.
After infection the virus will overwrite the program file it was
launched from with a text string "Dangerous Messanger was here"
and delete it. After this it will exit - on random times it will
also display the text "Bad command or file name" before exiting.
The virus contains a separate activation routine, which is executed
on seemingly random basis. At this time, it will overwrite all
files in the current directory with several kilobytes of the
same "Dangerous Messanger" string and delete them. Finally the
virus clears the screen and hangs the machine.
In addition to the strings shown above, the virus also contains
the following text strings:
"This is Dangerous Messanger, and here is my message to the world"
"Computer protected, no action."
"Can't initalize hardware... Try on another computer..."
The second string above might indicate that the virus will not
spread if the machine is protected with some sort of marker.
The last string is displayed only when the initial dropper of
this virus, NOVADEMO.EXE, is executed.
The virus also contains a x-rated JPEG picture, which is appended
to it's code. The virus also contains an encrypted text in Finnish.
Roughly translated the message reads: "You should check what you
put in your machine. Death to night-BBS's".
Even though this virus infects files only in DOS-directory and in
the current directory, it is capable of spreading across the
directory tree. This happens, for example, when a user changes
to another directory and runs an infected program via path. Running
CHKDSK in C:\WINDOWS-directory would cause three of the EXE-programs
in Windows-directory to be infected.
As this virus destroys the files it infects, it is not supposed
to become a serious threat. However, multiple reports of this virus
being in the wild in Scandinavia, Belgium and USA have been received.
This variant is basicly the same as Novademo.A, except that it contains
a version number "1.1". The virus will not spread, if the environment
variable DM_P=<Alt-1> has been defined. Also a C variant of this
virus has been found.
This German virus is one of the biggest viruses known. There are two
variants, 53248 and 48784 in size. It spreads by searching for batch files
and including a line to execute 'dosinfo.exe'. It the copies itself to
dosinfo.exe in the same directory as the batch.
HLLO.Honi was in the wild in Germany during 1995 and 1996.
HLLO.Lowlevel is a very primitive overwriting virus written in Borland
C. When executed the virus overwrites all EXE files on the current
drive with its code. Files which are smaler then the virus code are
not affected. The virus code is packed with PKLITE 1.15.
When the infection process is done the virus displays the following
message:
low-level warfare
v6.14.97.coded by
Five Style Fist
FiveStyleFist@Hotmail.Com
Lowlevel was reported to be in the wild in August 1997.
The original CVirus was a HLLO virus that is practically extinct today.
However, some versions of Intel Landesk antivirus and PC-Cillin have
had false alarms of 'CVirus' in several files.
These are two related viruses, written in combiled basic.
They use BAT files to copy their own code over existing EXE files with
the "COPY /Y" command. Only EXE files larger than 40kB are
overwritten.
Because of the "/y" works only in DOS 6.0 and higher, this virus won't
spread under older machines.
The 40932 variant activates on 15th of March. The 41478 variant
activates on 27th of May. When activating, both of these viruses
delete the C:\IO.SYS file, making the machine unbootable.
[Analysis: Mikko Hypponen & Peter Szor, F-Secure, 1990s]
