Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Hare

Hare.7610, Hare.7650, Hare.7786

This is a resident, polymorphic, multi-partite, stealth COM and EXE infector. Moreover, it attacks diskettes boot sectors and hard disk’s MBR. When an infected file is executed Hare installs itself into memory and attacks hard disk’s MBR. After that it attacks suitable files. The virus infects diskettes boot sectors only after installation from hard disk’s MBR. When an attempt is made to load the system from an infected system diskette the virus attacks only hard disk’s MBR and does not install itself into memory. It marks the infected files by setting the value of seconds in the time of the last file modification to 34. That change is not visible while the virus is active in memory. When infecting, the virus avoids files with names starting at “TB”, “F-”, “IV”, “CH” and “COMMAND”, as well as those containing letter “v” in their name. If system Windows 95 is installed the virus deletes the file HSFLOP.PDR in directory WINDOWS\SYSTEM\IOSUBSYS. The polymorphic virus generator is very interesting as such. During decryptor generation the virus uses on one computer always the same values as entries for random numbers generator. That is why all virus copies are identical on one computer. On August 22nd and on September 22nd the virus deletes sectors on hard disk and writers the following text:

Hare.7610: HDEuthanasia by Demon Emperor: Hare, Krsna, hare, hare...
Hare.7650: HDEuthanasia-v2 by Demon Emperor: Hare, Krsna, hare,hare...
Hare.7786: HDEuthanasia-v2 by Demon Emperor: Hare, Krsna, hare, hare...

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.