HLLP.Termite.5000 is a DOS virus written in high level language. It is
capable of spreading under DOS and DOS boxes of Windows 3.x, 95, 98
and NT.
The virus is 5000 bytes long and it is encrypted. It is not memory
resident. The virus is a prepending one. It has a sequence of payloads
described below.
Being run, the virus first tries to find and delete the following
files:
anti-vir.dat
chklist.ms
chklist.cps
vs.vsn
ivb.ntz
This is done to prevent several integrity checkers from detecting
modifications in files that virus performs.
After this the virus cleans the file it was executed from. The file is
renamed and its original beginning is restored. After that the virus
starts looking for COM and EXE files in directories listed in PATH
variable.
If a COM or EXE file is found the virus reads 5000 bytes of file to
memory and checks if the file is already infected (infected files
contain 5000 bytes of virus code in the beginning). In this case the
file is closed and the search goes on.
If a clean file is found the virus renames and then infects it
by writing 5000 bytes of its encrypted code to file start. The
original 5000 bytes of infected file are encrypted and written to
the file end. Then the file is renamed back. The virus infects
not only DOS but also Windows EXE files.
The file is not infected by virus if its name or extension starts
with the following:
WIN DLL SPA MAN DRV SCR KRNL 386
MSC COM EXP MOU GW GO STA USE GDI CON
The virus doesn't infect more than 20 files at a time to hide its
presence, but nevertheless if it is run on slow system the perfomance
dramatically decreases and the more files are infected, the bigger is
delay before the virus passes control to the original program. The
original file that was cured by the virus in the beginning is run
using the "drive:\path\COMMAND.COM /C filename" command. After the
original program terminates the virus re-infects the file and renames
it back.
The attributes and time stamp of infected file doesn't change because
the virus preserves them upon infection. The length of infected file
is increased by 5000 bytes.
The virus has a nasty payload. Depending on its counters it sets
640x200 black and white mode and imitates movement of lots of small
insects until a certain combination of keys is pressed. Then depending
on other counters the virus outputs many 'faces' (ASCII 0x2) and a
message:
Oops! I've got such terrible munchies. TERMiTE v1.0 RAiD[SLAM]
Then the virus deletes all files matching the following masks:
*.MP? *.GIF *.JPG *.DOC *.HLP (space)*.*
The virus was first reported in Africa.
[Analysis: Alexey Podrezov; F-Secure]
![](/images/pixel.gif"){kind=tracking}
