Ehhehe

Classification

Malware

Virus

W32

HLLW.Ehhehe

Summary

This simple virus is written in BASIC.

The virus speads by adding a copy of itself to ZIP and ARJ archives as README.EXE file. When README.EXE is executed the virus searches for more ZIP and ARJ archives on the disk and writes a copy of itself to them.

Removal

Automatic action

Based on the settings of your F-Secure security program, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it to F-Secure Labs for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The virus uses DOS commands 'DIR \*.ARJ /S /B >>ARJ.DAT' and 'DIR \*.ZIP /S /B >>ZIP.DAT' to create lists of ZIP and ARJ archives that are available on the hard disk. The virus uses archive names from these list files to create a command line for calling the archivers: for ARJ its: 'ARJ a <archive name> README.EXE>>NULL' and for PKZIP its: 'PKZIP <archive name> README.EXE>>NULL'. The virus will not infect archives if ARJ.EXE or PKZIP.EXE are not present.

To block output to the screen from ARJ and PKZIP the virus redirects screen output to NULL device. The ARJ.DAT and ZIP.DAT files are deleted before the virus returns control to the system by using DOS commands: 'DEL ARJ.DAT>>NULL' and 'DEL ZIP.DAT>>NULL'.

When README.EXE is run, it displays several messages on the screen like 'Decompressing video drivers' or 'Decompressing sound files' and a progress indicator. During that time the virus infects all available archives. When the virus returns control to the system it displays a message:

Eh He He He v1.0 (2)

The number in brackets could change.

Date Created: -

Date Last Modified: -