HLLP.Termite.5000 is a DOS virus written in high level language. It is capable of spreading under DOS and DOS boxes of Windows 3.x, 95, 98 and NT.
The virus is 5000 bytes long and it is encrypted. It is not memory resident. The virus is a prepending one. It has a sequence of payloads described below.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Being run, the virus first tries to find and delete the following files:
anti-vir.dat chklist.ms chklist.cps vs.vsn ivb.ntz
This is done to prevent several integrity checkers from detecting modifications in files that virus performs.
After this the virus cleans the file it was executed from. The file is renamed and its original beginning is restored. After that the virus starts looking for COM and EXE files in directories listed in PATH variable.
If a COM or EXE file is found the virus reads 5000 bytes of file to memory and checks if the file is already infected (infected files contain 5000 bytes of virus code in the beginning). In this case the file is closed and the search goes on.
If a clean file is found the virus renames and then infects it by writing 5000 bytes of its encrypted code to file start. The original 5000 bytes of infected file are encrypted and written to the file end. Then the file is renamed back. The virus infects not only DOS but also Windows EXE files.
The file is not infected by virus if its name or extension starts with the following:
WIN DLL SPA MAN DRV SCR KRNL 386 MSC COM EXP MOU GW GO STA USE GDI CON
The virus doesn't infect more than 20 files at a time to hide its presence, but nevertheless if it is run on slow system the perfomance dramatically decreases and the more files are infected, the bigger is delay before the virus passes control to the original program. The original file that was cured by the virus in the beginning is run using the "drive:\path\COMMAND.COM /C filename" command. After the original program terminates the virus re-infects the file and renames it back.
The attributes and time stamp of infected file doesn't change because the virus preserves them upon infection. The length of infected file is increased by 5000 bytes.
The virus has a nasty payload. Depending on its counters it sets 640x200 black and white mode and imitates movement of lots of small insects until a certain combination of keys is pressed. Then depending on other counters the virus outputs many 'faces' (ASCII 0x2) and a message:
Oops! I've got such terrible munchies. TERMiTE v1.0 RAiD[SLAM]
Then the virus deletes all files matching the following masks:
*.MP? *.GIF *.JPG *.DOC *.HLP (space)*.*
The virus was first reported in Africa.
Technical Details: Alexey Podrezov; F-Secure