HDKiller, which is also known as Coruaa, spreads itself like any other boot sector virus.
If a computer is booted from an infected diskette, the virus redirects the boot to the hard disk and the 'Non-system disk' error message is not shown. This makes the virus harder to spot than usual.
When a computer is booted from a diskette infected by the HDKiller virus, the virus reserves one kilobyte of memory for itself. However, when the computer is next booted from the infected hard disk, the amount of available memory stays normal. This is due to a programming error in the viruses code; the virus loads itself to the top of conventional memory, but does not mark this memory area as reserved. As a consequence, other programs may try to write to the same area. If this happens, the computer crashes immediately. Therefore, a HDKiller infection makes a computer very unstable.
HDKiller is a destructive virus. When it infects a hard disk, it stores the current date inside its own code. During subsequent boots, it compares the infection date to the system's date and activates after a month has passed. If, for example, the infection has occurred on 15th of January, the virus activates on the 14th of any month. When the virus activates, it overwrites some of the data on the hard disk.
HDKiller contains the following unencrypted text:
HDKiller By Rasek.
HDKiller does not store the original boot sector when it infects a disk. Instead, the functionalities of a diskette boot sector and a hard disk MBR have been incorporated into the viruse's code. In spite of this, the HDKiller virus can be removed by overwriting its code because it does not move or encrypt the partition table.