The sting of the Demon Emperor




What virus-scanning program can detect and clean the Hare Krsna virus?
- Liz Van


This virus and its variants, also known as Hare, Krisna or HDEuthanasia, can be detected and cleaned by the majority of antivirus products, including Dr Solomon's, F-Prot, Norton Antivirus and Cheyenne's InocuLAN. However, regardless of the antivirus software you are using, make sure you have the most recent update: programs which have not been updated for a year or more will most likely not detect Hare. Which is unfortunate, because an undetected outbreak of this virus can cause more than a little grief.
Hare was discovered in mid-1996 and was spread through Internet newsgroups, sometimes in a bogus file called pkzip300.exe. According to Symantec, makers of the Norton Antivirus program, Hare is uncommon. However, it has captured the headlines in a number of countries, so its threat should not be discounted.
Hare infects your hard drive's Master Bood Record (MBR) and diskette boot sectors. Both .com and .exe files are susceptible, and will grow in size by 7000-odd bytes. Unfortunately, when the virus is resident in memory, these altered file sizes will not be reported. If an infection exists, and you boot from a clean floppy, chances are your hard disk will be inaccessible (expect to see a tell-tale "Invalid drive specification" message). This is because Hare encrypts your hard disk's MBR, rendering it useless to an uninfected boot floppy.
Complex polymorphic viruses are often difficult to detect, but Hare is particularly clever. The executable file of many antivirus programs includes a self-check routine which is designed to detect any changes to that file. But Hare will ignore any file whose name begins with the letters "TB" or "F-" or contains the letter "V". This characteristic was sufficient to confuse many antivirus programs when the virus first appeared.
Hare's author calls himself -- or herself -- the Demon Emperor. And in a similar melodramatic vein, the virus is programmed to wreak havoc on certain days of the year: August 22 and September 22. If Hare becomes memory-resident on either of these days, it will display the message: "HDEuthanasia by Demon Emperor: Hare Krsna, hare, hare . . ." and you will hear much creaking and whirring of drive heads. This is the sound of your hard disk (and floppy, too, if one happens to be in the drive) being overwritten.
So if your antivirus software hasn't been updated since 1996, change it now. Or risk being reminded next August!
- Neville Clarkson


Category: Viruses
Issue: Nov 1997
Pages: 162

These Web pages are produced by Australian PC World © 1997 IDG Communications