Virus Name: H&P Virus Type: File Infector Virus (.COM files)
Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) H&P searches for an uninfected .COM file in the current directory and, when it finds one, infects it. Only one file is infected. Damage: Overwrites the original file, so the length of the infected file won't increase. Note: 1) H&P doesn't stay resident in memory. 2) It doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Hobbit Virus Type: File Virus (.EXE files) Virus Length: 505 bytes When an infected file is executed, Hobbit installs itself into memory. Total available memory will have decreased by 1,440 bytes. Once the virus is memory resident, it will infect .EXE files when they are executed or opened and overwrite the first 505 bytes of the file. Date and time information on infected files will not be altered. The text string "HOBIT" can be found in infected files.
Virus Name: HIGHLAND Virus Type: Memory Resident, File Infector Virus (.COM files) Virus Length: 477 bytes PC Vectors Hooked: INT 21h (AX=4B00h) Infecting Procedure: 1) If, after checking, HIGHLAND finds that it is not already loaded resident in memory, it then loads itself by hooking INT 21h. 2) Next, it executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: When the system date is the 29th of any month, infected files can't be executed. Detection Method: Infected files increase by 477 bytes. Note: Highland doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: HBT Virus Type: Memory Resident, File Infector Virus (.COM and .EXE files). Virus Length: 394 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infecting Procedure: 1) If, after checking, HBT finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h. 2) Next, it executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: When the virus is resident in memory, a file can't be executed. Detection Method: Infected files increase in size by 394 bytes. Note: The HBT virus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: HUNGARIAN Virus Type: Highest Memory Resident, File Infector Virus (.COM and .EXE files) Virus Length: 749 bytes PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h Infecting Procedure: 1) If, after checking, HBT finds that it is not already loaded resident in memory, it loads itself (into highest memory) by hooking INT 21h. 2) If the year=1990 and the month >=6, HUNGARIAN will hook INT 8h and then execute the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: When Hungarian hooks INT 8h, it will set the Counter to 0xFFFF. Each time INT 8h is called, the counter will decrease by one. When the counter equals zero (about one hour), the virus will begin to destroy files. Whenever you run any file, it will be destroyed. Detection Method: Infected file size increases by 749 bytes. Note: The Hungarian virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: HERO-394 Aliases: None Virus Type: File Infector Virus (.EXE files) Virus Length: 394 bytes Damage: None Detection Method: If the system date is the first day of any month, a confusing code will be displayed on the screen. The virus increases infected EXE. file size by 394 bytes.
Virus Name: Halloween Aliases: Happy Halloween Virus Type: File Infector Virus (.COM and .EXE files) Virus Length: N/A Executing Procedure: 1) If, after checking, Halloween finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h. 2) It next executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. Damage: The virus finds an executable file (first .EXE file then .COM) in the current directory and proceeds to infect it. It will display "Runtime error 002 at 0000:0511" on screen if it finds no uninfected files. Detection Method: Every Oct 31, Halloween will create a 10KB-long file and display the message "Runtime error 150 at 0000:0AC8." Note: The virus loads itself as resident in memory. An error message appears if an I/O error (such as write protect) occurs.
Virus Name: Ha Virus Type: Parasitic Virus Virus Length: .EXE file size increases by 1458-1468 bytes and .COM file size increases by 1462 bytes. PC Vectors Hooked: INT 21h Executing procedure: 1) If, after checking, Ha finds that it is not already loaded resident in memory, it loads itself (into highest memory) by hooking INT 21h, and then executes the host program. 2) If it finds that it already resides in highest memory, it will execute the program directly. Infecting Procedure: The virus infects files through AH=4B in INT 21h. Uninfected files are infected when they are executed. Damage: None Detection Method: File lengths increase by between 1458 and 1468 bytes.
Virus Name: Hallo Virus Type: Parasitic Virus (infects .COM files) Virus Length: 496 bytes PC Vectors Hooked: None Executing Procedure: 1) Hallo searches for an uninfected .COM file on the current disk and when it finds one, infects it. (Infects only one file each time.) 2) After the file is infected, the virus displays the messsage "I have got a virus for you!." Damage: None Detection Method: The string "I have got a virus for you!" displays when you execute programs. Infected file lengths increase by 599 bytes. Notes: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.
Virus Name: Hiccup Aliases: Comp-3351 Virus Type: Parasitic Virus (infects .EXE files) Virus Length: 3351 bytes Executing Procedure: 1) Hiccup searches for an .EXE file in the current directory. 2) Creates a *.com file (hidden file) consisting of the virus itself. When executed, the *.COM file executes, then returns to the original routine. Damage: None Detection Method: File length is 3351 bytes. Notes: 1) Non memory resident. 2) The virus file has been compressed and cannot be recognized before being decompressed (similar to PKLITE).
Virus Name: Hallo-759 Virus Type: Parasitic Virus (infects .COM files) Virus Length: 533 bytes PC Vectors Hooked: None Executing Procedure: 1) Hallo searches for an uninfected .COM file on the current disk and when it finds one, infects it. (Infects only one file each time.) 2) After infecting, the virus displays the string "I have got a virus for you!" Damage: None Detection Method: The string "I have got a virus for you!" is displayed when executing programs. The lengths of infected files increases by 759-775 bytes. Notes: 1) The infecting part was badly written. After the infected files end, the system will hang. 2) Non memory resident. 3) When infecting files, the virus does not hook INT 24h. An error message appears when I/O errors occur.
Virus Name: Harm-1082 Virus Type: Parasitic Virus (infects .COM files) Virus Length: 1082 - 1097 bytes PC Vectors Hooked: INT 21h Executing Procedure: 1) If, after checking, Harm-1082 finds that it is not already loaded resident in memory, it loads itself (into highest memory) by hooking INT 21h, and then executes the host program. 2) If it already resides in memory, the virus executes the host program directly. Infecting Procedure: The virus infects files through AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. Damage: None Detection Method: Infected file size increases by 1082-1097 bytes.
Virus Name: Hor-2248 Virus Type: Parasitic Virus (infects .COM and .EXE files) Virus Length: 2248 bytes PC Vectors Hooked: INT 21h and INT 24h Executing Procedure: (The virus cannot run in DOS 5.0) 1) If, after checking, Hor-2248 finds that it is not already loaded resident in memory, it loads itself (into highest memory) by hooking INT 21h, and then executes the host program. 2) If it already resides in memory, the virus executes the host program directly. Infecting Procedure: The virus infects files through AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. Before infecting, the virus hooks INT 24h first so that I/O errors will be ingnored. Damage: None Detection Method: Infected files increase in size by 2248 bytes.
Virus Name: Hitler Virus Type: File Infector (.COM files) Virus Length: 4808 bytes Executing Procedure: Hitler looks to see if it is already resident in memory. If it isn't, the virus will stay resident in high memory, then hook INT 21h and return to the original routine. Vectors Hooked: Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detection Method: Infected file length increases by 4808 bytes.
Virus Name: Hellwean1182 Virus Type: File Infector (.EXE and .COM files) Virus Length: 1182 bytes Executing Procedure: 1) If, after checking, Hellwean1182 finds that it is not resident in memory, it will reside in high memory. 2) It next hooks INT 21h and then returns to the original routine. Vectors Hooked: Hooks INT 21H (AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .COM or .EXE file, the virus proceeds to infect it. Damage: None Detection Method: Infected file size increases by 1182 bytes.
Virus Name: HELLO-SHSHTAY Virus Type: Memory Block Resident File Infector - Infects .COM files shorter than 63776 bytes and .EXE files shorter than 52428 bytes. Virus Length: 1840 - 1855 bytes in .EXE files, 1600 - 1615 bytes in .COM files, 1792 bytes in memory. Interrupt Vectors Hooked: INT 21h Infection Process: The virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. The available free memory decreases by 1792 bytes. The virus infects .EXE and .COM programs when they are executed. Damage: Decreased available memory. Symptoms: Virus displays the following messages on screen: "HELLO SHSHTAY" " GODBYE AMIN " "HELLO SHSHTAY" " ZAGAZIG UNIV"
Infected .EXE file lengths increase by between 1840 and 1855 bytes and infected .COM files will have a file length increase of between 1600 and 1615 bytes. The virus will be located at the end of the file in both cases. Note: If the system date is January, 1994 or later, the virus will hook INT 1Ch , INT 09h and set a counter = 0. Interrupt 1ch will add one to the counter 18.2 times per second . When the counter is greater than or equal to 3786 (ECAh) it will trigger INT 09h and reset the counter back to 0. When Interrupt 09h is activated, it will place a message into the keyboard buffer, so that approximaetly every 208 (3786/18.2) seconds, the screen will display one of the messages from the above list.
Virus Name: Hacktic2 Virus Type: File Infector (.COM files) Virus Length: 93 bytes Executing Procedure: Virus searches for an uninfected .COM file on the current directory, then infects it (infects only one file each time). Damage: None Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 93 bytes.
Virus Name: Horror Virus Type: File Infector (.COM and .EXE files) Virus Length: 1112-1182 bytes Executing Procedure: If, after checking, Horror finds that it is not resident in memory, it will stay resident in high memory. Then it hooks INT 21h, and looks to see whether the COMMAND.COM file that booted up system has been infected. If it hasn't, Horror infects it and then returns to the original routine. Vectors Hooked: Horror hooks INT 21H (AH=4Bh) to infect files. First, it hang sINT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .COM or .EXE file, virus proceeds to infect it. Damage: It will destroy all data on hard disk (every variant of the virus has its own infecting time). Note: The Soft-mice software is destroyed by infected .EXE programs. Detection Method: Infected file size increases by 1112-1182 bytes.
Virus Name: Hard-Day Virus Type: File Infector (.COM files) Virus Length: 662 bytes Executing Procedure: If, after looking, Hard-Day finds that it is not resident in memory, it will stay resident in high memory. Then it hooks INT 21h and returns to the original routine. Vectors Hooked: Hard-Day hooks INT 21H (AH=4Bh) to infect files. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: If the current calendar day is a Monday and the current time is 18:00 or later, the virus displays the message " Hard day's night!," Next, it halts the system. Note: You will see an error message when writing because INT 24h has not been hanged. Detection Method: Infected file size increases by 662 bytes.
Virus Type : File Virus
Other Name :
Virus Length :
Virus Infect Type : EXE files
Place of Origin :
Virus Memory Type : High Memory Type
Int. Vectors Hooked : Int. 21h
Infection Procedure:
It first checks if the value stored in DS:[0164] is 2ED3h (if 2ED3h is not moved to that address). The virus loads itself in the high memory in address 9FC0:0h. After loading to the high memory it hooks interrupt 21h, then sets it. Once in memory, the virus waits for an EXE file to be executed to infect it. A word "Hi" can be found in the virus code for every infected EXE file.
Virus Infect Type : COM & EXE files
including COMMAND.COM
Int. Vectors Hooked : Int 21h
The virus saves the first 16 bytes to address 114C:08D5h and later changes the first 16 bytes at 0:0 from 11BA:0285h. But before changing an encryption occurs starting in 11BA:012Eh by XORing it to 95h, 288 bytes. When the virus code is executed, it locates COMMAND.COM, then it searches for other COM and EXE files in the same directory where the virus is executed. The infection can't be easily be seen because the size of the file is still the same.
An infected file increases in length by approximately 1700 bytes.
Virus Reinfect Type : Non-Resident
Virus Memory Type :
Int. Vectors Hooked :
When the infected file is executed, three EXE files will be infected, copying their filenames and changing their extensions to .COM. For every infected file, when executed, at most three EXE files are infected.
This enables the virus code to execute first before the original EXE file.
Virus Infect Type : COM & EXE File and
Master Boot Record
Virus Memory Type : High Memory
The virus first NOTs the data in CS:[DI] or 115C:2822 with a CX value of ED5h. Then another encryption starting 115C:29B2 with a CX value of E0Eh, XOR in AX with an initial value of 2726 then increments AH and AL by 2h. Then it gets the memory size service with a return value of AX=280h. Then gets the dos variable. Then it loads it to high memory from 115C:2810 to 9DDE:0 with a size of 1DBAh. A message can be found there which reads: "HDEuthanasia by Demon Emperor: Hare Krsua, hare, hare" Then it hooks int 21h and sets it. From there it infects the master boot record.
Encrypts data, address 115C:[2824], 3866 times by using the NOT operand. Another loop in 115C:[29B2], 3667 times by XORing to AX, but AH and AL are incremented by 2h, thus producing: "INFECTUM.COM.HOSTA.COMCOM.COMMAND\SYSTEM\IOSUBSYS\HSFLOP.PDR"
Then it gets the memory size, 640 bytes. Then gets the dos variable, next it loads the code to the high memory, from 115C:2810 to 9DD5:0000 having 7750 bytes to be loaded. It returns the disk drive parameters, trying to read the hard disk. Then tries to read disk sectors, 1 sectors to be transferred to address 9DD5:2096, track no. 108, sector no. 1, head no. 125. Then proceeds to these codes:
XOR AL,AL OUT 43,AL JMP 94C IN AL,40 MOV AH,AL IN AL,40 XOR AL,AH XCHG AL,AH The virus infects the MBR first, from there it will wait for any COM and EXE files.
Damage :
Checks the path and infects all the files there. When rebooting, the computer reboots repeatedly.
Virus Infect Type : EXE & COM files
Trigger Condition : November 1
The virus loads itself into the high memory immediately copying from address 1155:0129h to 9F89:0000h, copying 1376 bytes. Then it hooks Int 21h. Then it gets the Real-Time Clock date to determine what is the date, and returned values are in BCD. It checks whether the date is November 1 or not. If yes, then it clears the screen, background color is red and this message appears in the middle of the screen:
"Nesedte porad u pocitace a zkuste jednou delat neco rozumneho!" "**************" "!! Poslouchjte HELLOWEEN - nejlepsi metalovou skupinu !!"
Then by pressing any key, the machine will reboot. Making no infection.
But if the date is not November 1, then a COM and/or EXE files executed will be infected.
Detection method :
File increases up to 1376 bytes.