HDKiller

Classification

Malware

Virus

-

HDKiller

Summary

HDKiller is a relatively simple virus which infects diskette boot sectors and hard disk MBRs. The virus was discovered in Spain in November 1994.

Removal

This virus can also be disinfected manually by cold-booting the infected machine from a boot diskette with MS-DOS 5 or 6. The FDISK utility should be copied to the boot diskette beforehand.

After booting the machine, test that all hard disk partitions are visible with with DIR command. If you receive an error message like "Invalid drive specification", do not try to use FDISK to remove the virus.

If all partitions can be seen then the command FDISK /MBR will overwrite the virus in the master boot record.

After a succesful disinfection the machine can be booted normally again. Floppy disks can be disinfected manually by SYSing them on a clean machine.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

HDKiller, which is also known as Coruaa, spreads itself like any other boot sector virus.

If a computer is booted from an infected diskette, the virus redirects the boot to the hard disk and the 'Non-system disk' error message is not shown. This makes the virus harder to spot than usual.

When a computer is booted from a diskette infected by the HDKiller virus, the virus reserves one kilobyte of memory for itself. However, when the computer is next booted from the infected hard disk, the amount of available memory stays normal. This is due to a programming error in the viruses code; the virus loads itself to the top of conventional memory, but does not mark this memory area as reserved. As a consequence, other programs may try to write to the same area. If this happens, the computer crashes immediately. Therefore, a HDKiller infection makes a computer very unstable.

HDKiller is a destructive virus. When it infects a hard disk, it stores the current date inside its own code. During subsequent boots, it compares the infection date to the system's date and activates after a month has passed. If, for example, the infection has occurred on 15th of January, the virus activates on the 14th of any month. When the virus activates, it overwrites some of the data on the hard disk.

HDKiller contains the following unencrypted text:

HDKiller By Rasek.
 0UT Meilan!

HDKiller does not store the original boot sector when it infects a disk. Instead, the functionalities of a diskette boot sector and a hard disk MBR have been incorporated into the viruse's code. In spite of this, the HDKiller virus can be removed by overwriting its code because it does not move or encrypt the partition table.