H & P

Virus Name: H&P

Virus Type: File Infector Virus (.COM files)


Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) H&P searches for an uninfected .COM file in the current directory and, when it finds one, infects it. Only one file is infected.

Damage: Overwrites the original file, so the length of the infected file won't increase.

Note:
1) H&P doesn't stay resident in memory.
2) It doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Hobbit

Virus Name: Hobbit

Virus Type: File Virus (.EXE files)

Virus Length: 505 bytes

When an infected file is executed, Hobbit installs itself into memory. Total available memory will have decreased by 1,440 bytes.

Once the virus is memory resident, it will infect .EXE files when they are executed or opened and overwrite the first 505 bytes of the file. Date and time information on infected files will not be altered.

The text string "HOBIT" can be found in  infected files.



Highland

Virus Name: HIGHLAND

Virus Type: Memory Resident, File Infector Virus (.COM files)

Virus Length: 477 bytes

PC Vectors Hooked: INT 21h (AX=4B00h)

Infecting Procedure:
1) If, after checking, HIGHLAND finds that it is not already loaded resident in memory, it then loads itself by hooking INT 21h.
2) Next, it executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: When the system date is the 29th of any month, infected files can't be executed.

Detection Method: Infected files increase by 477 bytes.

Note: Highland doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


HBT

Virus Name: HBT

Virus Type: Memory Resident, File Infector Virus (.COM and .EXE files).

Virus Length: 394 bytes

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)

Infecting Procedure:
1) If, after checking, HBT finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h.
2) Next, it executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: When the virus is resident in memory, a file can't be executed.

Detection Method: Infected files increase in size by 394 bytes.

Note: The HBT virus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Hungarian

Virus Name: HUNGARIAN

Virus Type: Highest Memory Resident, File Infector Virus (.COM and .EXE files)

Virus Length: 749 bytes

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h, INT 8h

Infecting Procedure:
1) If, after checking, HBT finds that it is not already loaded resident in memory, it loads itself (into highest memory) by hooking INT 21h.
2) If  the year=1990 and the month >=6, HUNGARIAN will hook INT 8h and then execute the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: When Hungarian hooks INT 8h, it will set the Counter to 0xFFFF. Each time INT 8h is called, the counter will decrease by one. When the counter equals zero (about one hour), the virus will begin to destroy files. Whenever you run any file, it will be destroyed.

Detection Method: Infected file size increases by 749 bytes.

Note: The Hungarian virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Hero-394

Virus Name: HERO-394

Aliases: None

Virus Type: File Infector Virus (.EXE files)

Virus Length: 394 bytes

Damage: None

Detection Method: If the system date is the first day of any month, a confusing code will be displayed on the screen. The virus increases infected EXE. file size by 394 bytes.


Halloween

Virus Name: Halloween

Aliases: Happy Halloween

Virus Type: File Infector Virus (.COM and .EXE files)

Virus Length: N/A

Executing Procedure:
1) If, after checking, Halloween finds that it is not already loaded resident in memory, it loads itself  by hooking INT 21h.
2) It next executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: The virus finds an executable file (first .EXE file then .COM) in the current directory and proceeds to infect it. It will display "Runtime error 002 at 0000:0511" on screen if it finds no uninfected files.

Detection Method: Every Oct 31, Halloween will create a 10KB-long file and display the message "Runtime error 150 at 0000:0AC8."

Note: The virus loads itself as resident in memory. An error message appears if an I/O error (such as write protect) occurs.


Ha

Virus Name: Ha

Virus Type: Parasitic Virus

Virus Length: .EXE file size increases by 1458-1468 bytes and .COM file size increases by 1462 bytes.

PC Vectors Hooked: INT 21h

Executing procedure:
1) If, after checking, Ha finds that it is not already loaded resident in memory, it loads itself (into highest memory) by hooking INT 21h, and then executes the host program.
2) If it finds that it already resides in highest memory, it will execute the program directly.

Infecting Procedure: The virus infects files through AH=4B in INT 21h. Uninfected files are infected when they are executed.

Damage: None

Detection Method: File lengths increase by  between 1458 and 1468 bytes.


Hallo

Virus Name: Hallo

Virus Type: Parasitic Virus (infects .COM files)

Virus Length: 496 bytes

PC Vectors Hooked: None

Executing Procedure:
1) Hallo searches for an uninfected .COM file on the current disk and when it finds one, infects it. (Infects only one file each time.)
2) After the file is infected, the virus displays the messsage "I have got a virus for you!."

Damage: None

Detection Method: The string "I have got a virus for you!" displays when you execute programs. Infected file lengths increase by 599 bytes.

Notes:
1) Non memory resident.
2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.


Hiccup

Virus Name: Hiccup

Aliases: Comp-3351

Virus Type: Parasitic Virus (infects .EXE files)

Virus Length: 3351 bytes

Executing Procedure:
1) Hiccup searches for an .EXE file in the current directory.
2) Creates a *.com file (hidden file) consisting of the virus itself. When executed, the *.COM file executes, then returns to the original routine.

Damage: None

Detection Method: File length is 3351 bytes.

Notes:
1) Non memory resident.
2) The virus file has been compressed and cannot be recognized before being decompressed (similar to PKLITE).


Hallo-759

Virus Name: Hallo-759

Virus Type: Parasitic Virus (infects .COM files)

Virus Length: 533 bytes

PC Vectors Hooked: None

Executing Procedure:
1) Hallo searches for an uninfected .COM file on the current disk and when it finds one, infects it. (Infects only one file each time.)
2) After infecting, the virus displays the string "I have got a virus for you!"

Damage: None

Detection Method: The string "I have got a virus for you!" is displayed when executing programs. The lengths of  infected files increases by 759-775 bytes.

Notes:
1) The infecting part was badly written. After the infected files end, the system will hang.
2) Non memory resident.
3) When infecting files, the virus does not hook INT 24h. An error message appears when I/O errors occur.


Harm-1082

Virus Name: Harm-1082

Virus Type: Parasitic Virus (infects .COM files)

Virus Length: 1082 - 1097 bytes

PC Vectors Hooked: INT 21h

Executing Procedure:
1) If, after checking, Harm-1082 finds that it is not already loaded resident in memory, it loads itself (into highest memory) by hooking INT 21h, and then executes the host program.
2) If it already resides in memory, the virus executes the host program directly.

Infecting Procedure: The virus infects files through AH=4B in INT 21h. When an uninfected program is executed, it becomes infected.

Damage: None

Detection Method: Infected file size increases by 1082-1097 bytes.


Hor-2248

Virus Name: Hor-2248

Virus Type: Parasitic Virus (infects .COM and .EXE files)

Virus Length: 2248 bytes

PC Vectors Hooked: INT 21h and INT 24h

Executing Procedure: (The virus cannot run in DOS 5.0)
1) If, after checking, Hor-2248 finds that it is not already loaded resident in memory, it loads itself (into highest memory) by hooking INT 21h, and then executes the host program.
2) If it already resides in memory, the virus executes the host program directly.

Infecting Procedure: The virus infects files through AH=4B in INT 21h. When an uninfected program is executed, it becomes infected. Before infecting, the virus hooks INT 24h first so that I/O errors will be ingnored.

Damage: None

Detection Method: Infected files increase in size by 2248 bytes.


Hitler

Virus Name: Hitler

Virus Type: File Infector (.COM files)

Virus Length: 4808 bytes

Executing Procedure: Hitler looks to see if it is already resident in memory. If it isn't, the virus will stay resident in high memory, then hook INT 21h and return to the original routine.

Vectors  Hooked: Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Detection Method: Infected file length increases by 4808 bytes.


Hellwean-1182

Virus Name: Hellwean1182

Virus Type: File Infector (.EXE and .COM files)

Virus Length: 1182 bytes

Executing Procedure:
1) If, after checking, Hellwean1182 finds that it is not resident in memory, it will reside in high memory.
2) It next hooks INT 21h and then returns to the original routine.

Vectors Hooked: Hooks INT 21H (AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .COM or .EXE file, the virus proceeds to infect it.

Damage: None

Detection Method: Infected file size increases by 1182 bytes.


Hello Shshtay

Virus Name: HELLO-SHSHTAY

Virus Type: Memory Block Resident File Infector - Infects .COM files shorter than 63776 bytes and .EXE files shorter than 52428 bytes.

Virus Length: 1840 - 1855 bytes in .EXE files, 1600 - 1615 bytes in .COM files, 1792 bytes in memory.

Interrupt Vectors Hooked: INT 21h

Infection Process: The virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. The available free memory decreases by 1792 bytes. The virus infects .EXE and .COM programs when they are executed.

Damage: Decreased available memory.

Symptoms: Virus displays the following messages on screen:

"HELLO SHSHTAY"
" GODBYE AMIN "
"HELLO SHSHTAY"
" ZAGAZIG UNIV"

Infected .EXE file lengths increase by between 1840 and 1855 bytes and infected .COM files will have a file length increase of  between 1600 and 1615 bytes. The virus will be located at the end of the file in both cases.

Note: If the system date is January, 1994 or later, the virus will hook INT 1Ch , INT 09h and set a counter = 0. Interrupt 1ch will add one to the counter 18.2 times per second . When the counter is greater than or equal to 3786 (ECAh) it will trigger INT 09h and reset the counter back to 0. When Interrupt 09h is activated, it will place a message into the keyboard buffer, so that approximaetly every 208 (3786/18.2) seconds, the screen will display one of the messages from the above list.




Hacktic-2

Virus Name: Hacktic2

Virus Type: File Infector (.COM files)

Virus Length: 93 bytes

Executing Procedure: Virus searches for an uninfected .COM file on the current directory, then infects it (infects only one file each time).

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 93 bytes.


Horror


Virus Name: Horror

Virus Type: File Infector (.COM and .EXE files)

Virus Length: 1112-1182 bytes

Executing Procedure: If, after checking, Horror finds that it is not resident in memory, it will stay resident in high memory. Then it hooks INT 21h, and looks to see whether the COMMAND.COM file that booted up system has been infected. If it hasn't, Horror infects it and then returns to the original routine.

Vectors Hooked: Horror hooks INT 21H (AH=4Bh) to infect files. First, it hang sINT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .COM or .EXE file, virus proceeds to infect it.

Damage: It will destroy all data on hard disk (every variant of the virus has its own infecting time).

Note: The Soft-mice software is destroyed by infected .EXE programs.

Detection Method: Infected file size increases by 1112-1182 bytes.


Hard-Day


Virus Name: Hard-Day

Virus Type: File Infector (.COM files)

Virus Length: 662 bytes

Executing Procedure: If, after looking, Hard-Day finds that it is not resident in memory, it will stay resident in high memory. Then it hooks INT 21h and returns to the original routine.

Vectors Hooked: Hard-Day hooks INT 21H (AH=4Bh) to infect files. If the program to be executed is an uninfected COM file,  the virus proceeds to infect it.

Damage: If the current calendar day is a Monday and the current time is 18:00 or later, the virus displays the message " Hard day's night!," Next, it halts the system.

Note: You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 662 bytes.


Hi.460

Virus Type : File Virus

Other Name :

Virus Length :

Virus Infect Type : EXE files

Place of Origin :

Virus Memory Type : High Memory Type

Int. Vectors Hooked : Int. 21h

Infection Procedure:

It first checks if the value stored in DS:[0164] is 2ED3h (if 2ED3h is not moved to that address). The virus loads itself in the high memory in address 9FC0:0h. After loading to the high memory it hooks interrupt 21h, then sets it. Once in memory, the virus waits for an EXE file to be executed to infect it. A word "Hi" can be found in the virus code for every infected EXE file.

 


Hdenowt

Virus Type : File Virus

Other Name :

Virus Length :

Virus Infect Type : COM & EXE files

including COMMAND.COM

Place of Origin :

Int. Vectors Hooked : Int 21h

Infection Procedure:

The virus saves the first 16 bytes to address 114C:08D5h and later changes the first 16 bytes at 0:0 from 11BA:0285h. But before changing an encryption occurs starting in 11BA:012Eh by XORing it to 95h, 288 bytes. When the virus code is executed, it locates COMMAND.COM, then it searches for other COM and EXE files in the same directory where the virus is executed. The infection can't be easily be seen because the size of the file is still the same.

An infected file increases in length by approximately 1700 bytes.

 


Hllo.Beeper

Virus Type : File Virus

Other Name :

Virus Length :

Virus Infect Type : EXE files

Virus Reinfect Type : Non-Resident

Place of Origin :

Virus Memory Type :

Int. Vectors Hooked :

Infection Procedure:

When the infected file is executed, three EXE files will be infected, copying their filenames and changing their extensions to .COM. For every infected file, when executed, at most three EXE files are infected.

This enables the virus code to execute first before the original EXE file.

 

 


Hare.7610

Virus Type : File Virus

Virus Length :

Virus Infect Type : COM & EXE File and

Master Boot Record

Place of Origin :

Virus Memory Type : High Memory

Int. Vectors Hooked : Int 21h

Infection Procedure:

The virus first NOTs the data in CS:[DI] or 115C:2822 with a CX value of ED5h. Then another encryption starting 115C:29B2 with a CX value of E0Eh, XOR in AX with an initial value of 2726 then increments AH and AL by 2h. Then it gets the memory size service with a return value of AX=280h. Then gets the dos variable. Then it loads it to high memory from 115C:2810 to 9DDE:0 with a size of 1DBAh. A message can be found there which reads: "HDEuthanasia by Demon Emperor: Hare Krsua, hare, hare" Then it hooks int 21h and sets it. From there it infects the master boot record.

 


Hare.7750

Virus Type : File Virus

Virus Length :

Virus Infect Type : COM & EXE File and

Master Boot Record

Place of Origin :

Virus Memory Type : High Memory

Int. Vectors Hooked : Int 21h

Infection Procedure:

Encrypts data, address 115C:[2824], 3866 times by using the NOT operand. Another loop in 115C:[29B2], 3667 times by XORing to AX, but AH and AL are incremented by 2h, thus producing: "INFECTUM.COM.HOSTA.COMCOM.COMMAND\SYSTEM\IOSUBSYS\HSFLOP.PDR"

Then it gets the memory size, 640 bytes. Then gets the dos variable, next it loads the code to the high memory, from 115C:2810 to 9DD5:0000 having 7750 bytes to be loaded. It returns the disk drive parameters, trying to read the hard disk. Then tries to read disk sectors, 1 sectors to be transferred to address 9DD5:2096, track no. 108, sector no. 1, head no. 125. Then proceeds to these codes:

XOR AL,AL
OUT 43,AL
JMP 94C
IN AL,40
MOV AH,AL
IN AL,40
XOR AL,AH
XCHG AL,AH

The virus infects the MBR first, from there it will wait for any COM and EXE files.

Damage :

Checks the path and infects all the files there. When rebooting, the computer reboots repeatedly.

 


Helloween.1376

Virus Type : File Virus

Other Name :

Virus Length :

Virus Infect Type : EXE & COM files

Trigger Condition : November 1

Place of Origin :

Virus Memory Type : High Memory Type

Int. Vectors Hooked : Int 21h

Infection Procedure:

The virus loads itself into the high memory immediately copying from address 1155:0129h to 9F89:0000h, copying 1376 bytes. Then it hooks Int 21h. Then it gets the Real-Time Clock date to determine what is the date, and returned values are in BCD. It checks whether the date is November 1 or not. If yes, then it clears the screen, background color is red and this message appears in the middle of the screen:

"Nesedte porad u pocitace a zkuste jednou delat neco
rozumneho!"
"**************"
"!! Poslouchjte HELLOWEEN - nejlepsi metalovou skupinu !!"

Then by pressing any key, the machine will reboot. Making no infection.

But if the date is not November 1, then a COM and/or EXE files executed will be infected.

Detection method :

File increases up to 1376 bytes.