Threat Description

HLLP.Termite.5000

Details

Aliases:HLLP.Termite.5000
Category: Malware
Type:
Platform: W32

Summary



HLLP.Termite.5000 is a DOS virus written in high level language. It is capable of spreading under DOS and DOS boxes of Windows 3.x, 95, 98 and NT.

The virus is 5000 bytes long and it is encrypted. It is not memory resident. The virus is a prepending one. It has a sequence of payloads described below.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Being run, the virus first tries to find and delete the following files:

anti-vir.dat
  chklist.ms
  chklist.cps
  vs.vsn
  ivb.ntz

This is done to prevent several integrity checkers from detecting modifications in files that virus performs.

After this the virus cleans the file it was executed from. The file is renamed and its original beginning is restored. After that the virus starts looking for COM and EXE files in directories listed in PATH variable.

If a COM or EXE file is found the virus reads 5000 bytes of file to memory and checks if the file is already infected (infected files contain 5000 bytes of virus code in the beginning). In this case the file is closed and the search goes on.

If a clean file is found the virus renames and then infects it by writing 5000 bytes of its encrypted code to file start. The original 5000 bytes of infected file are encrypted and written to the file end. Then the file is renamed back. The virus infects not only DOS but also Windows EXE files.

The file is not infected by virus if its name or extension starts with the following:

WIN DLL SPA MAN DRV SCR KRNL 386
  MSC COM EXP MOU GW GO STA USE GDI CON

The virus doesn't infect more than 20 files at a time to hide its presence, but nevertheless if it is run on slow system the perfomance dramatically decreases and the more files are infected, the bigger is delay before the virus passes control to the original program. The original file that was cured by the virus in the beginning is run using the "drive:\path\COMMAND.COM /C filename" command. After the original program terminates the virus re-infects the file and renames it back.

The attributes and time stamp of infected file doesn't change because the virus preserves them upon infection. The length of infected file is increased by 5000 bytes.

The virus has a nasty payload. Depending on its counters it sets 640x200 black and white mode and imitates movement of lots of small insects until a certain combination of keys is pressed. Then depending on other counters the virus outputs many 'faces' (ASCII 0x2) and a message:

Oops! I've got such terrible munchies. TERMiTE v1.0 RAiD[SLAM]

Then the virus deletes all files matching the following masks:

*.MP? *.GIF *.JPG *.DOC *.HLP (space)*.*

The virus was first reported in Africa.





Technical Details: Alexey Podrezov; F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More