Home / malwarePDF  

Virus:W32/HLLO


First posted on 20 August 2010.
Source: SecurityHome

Aliases :

There are no other names known for Virus:W32/HLLO.

Explanation :

A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.

Additional DetailsHLLO identifies a family of overwriting viruses written in High Level Languages, such as Pascal, C, C++ or Basic. There are numerous variants in the family, some of which are detailed below.

Members of the HLLO family are rarely seen in the wild, but the chance of a false alarm is bigger than with viruses written in assembly language - this is because it is more difficult to find a distinct search string for these viruses.

Variants

HLLO.Novademo

HLLO.Novademo is a non-resident overwriting virus written with a high-level language, probably with Turbo Pascal 4.0. It has been packed with PKLITE 1.15, and it spreads in packed form.

This virus was originally found in Finland in March 1994, and it seems to be of Finnish origin. It was initially spreaded via BBS systems, in a file called NOVADEMO.ZIP. This archive was described with the following FILE_ID.DIZ file:

Nova Demo
New group presents new demo called NOVA now
with GUS, SB Pro, SB, PAS and Aria support!
This most parts of this demo are in SVGA
mode! And effects are as fast as usually!
This is state of art programming!

HLLO.Dangorous_Messanger
HLLO.Dangorous_Messanger infects files in the current directory and in directory \DOS, if such exists. It does some preliminary checking before infecting a file, and will not infect files which are smaller than approximately 12000 bytes.

When an infected program is executed, the virus starts to search for suitable EXE-files in the \DOS directory of current drive. If no suitable files are found, the virus will search for victims in the current directory.

Once the virus has found an appropriate file for infection, it will overwrite the first 12288 bytes of the victim file with the virus code. The actual code part of the virus takes up 8192 bytes, the rest 4096 bytes are just random filler bytes. Virus infects up to three files during one execution. The virus does not change the date and time stamps of the files it infects. Files are irreparably damaged by this infection process, and they need to be replaced with clean copies.

After infection the virus will overwrite the program file it was launched from with a text string "Dangerous Messanger was here" and delete it. After this it will exit - on random times it will also display the text "Bad command or file name" before exiting.

The virus contains a separate activation routine, which is executed on seemingly random basis. At this time, it will overwrite all files in the current directory with several kilobytes of the same "Dangerous Messanger" string and delete them. Finally the virus clears the screen and hangs the machine.

In addition to the strings shown above, the virus also contains the following text strings:

"This is Dangerous Messanger, and here is my message to the world"
"Computer protected, no action."
"Can't initalize hardware... Try on another computer..."

The second string above might indicate that the virus will not spread if the machine is protected with some sort of marker. The last string is displayed only when the initial dropper of this virus, NOVADEMO.EXE, is executed.

The virus also contains a x-rated JPEG picture, which is appended to its code. The virus also contains an encrypted text in Finnish. Roughly translated the message reads: "You should check what you put in your machine. Death to night-BBS's".

Even though this virus infects files only in DOS-directory and in the current directory, it is capable of spreading across the directory tree. This happens, for example, when a user changes to another directory and runs an infected program via path. Running CHKDSK in C:\WINDOWS-directory would cause three of the EXE-programs in Windows-directory to be infected.

As this virus destroys the files it infects, it is not supposed to become a serious threat. However, multiple reports of this virus being in the wild in Scandinavia, Belgium and USA have been received.

HLLO.Novademo.B
This variant is basically the same as Novademo.A, except that it contains a version number "1.1". The virus will not spread, if the environment variable DM_P= [Alt 1] has been defined. Also a C variant of this virus has been found.

HLLO.Honi
This German virus is one of the biggest viruses known. There are two variants, 53248 and 48784 in size. It spreads by searching for batch files and including a line to execute 'dosinfo.exe'. It the copies itself to dosinfo.exe in the same directory as the batch.
HLLO.Honi was in the wild in Germany during 1995 and 1996.

HLLO.Lowlevel
HLLO.Lowlevel is a very primitive overwriting virus written in Borland C. When executed the virus overwrites all EXE files on the current drive with its code. Files which are smaler then the virus code are not affected. The virus code is packed with PKLITE 1.15.

When the infection process is done the virus displays the following message:

low-level warfare
v6.14.97.coded by
Five Style Fist
FiveStyleFist@Hotmail.Com

Lowlevel was reported to be in the wild in August 1997.

CVirus
The original CVirus was a HLLO virus that is practically extinct today. However, some versions of Intel Landesk antivirus and PC-Cillin have had false alarms of 'CVirus' in several files.

HLLO.40932 and HLLO.41478
These are two related non-resident overwriting viruses, written in compiled Basic. They use BAT files to copy their own code over existing EXE files with the "COPY /Y" command. Only EXE files larger than 40kB are overwritten. Because of the "/y" works only in DOS 6.0 and higher, this virus won't spread under older machines.

The 40932 variant activates on 15th of March. The 41478 variant activates on 27th of May. When activating, both of these viruses delete the C:\IO.SYS file, making the machine unbootable.

Last update 20 August 2010

 

TOP