Virus Alert - August 22nd Virus -Forwarded

[Dr. Richard A. Snyder]

IBM Only?  Virus Alert.  May not be picked up by virus protection software.


>
>>>> ALLEN JOHNSON 0908/21/96 09:00am >>>
> I've recently gotten word that there is a virus called
>Hare_Krisna that is set to destroy your data on August 22nd
>(and possibly again on September 22nd).   This is a real
>threat.  Until you are positive that you have virus protection
>that can detect and eradicate this virus, I would recommend
>that you reset the dates on your PCs to after Aug. 22
>(before the 22 actually happens).  On Aug. 23 you can reset
>to the correct date.  Most PCs can reset the date from DOS
>by typing the word DATE.  Win31, 95, and NT from the
>control panel.  
>
>**The date change is just a suggestion due to the late notice
>I received and the inability of my site to get to 450 PCs
>before midnight tonight**
>
>Below is some info you may find helpful.  Good luck...
>
>Allen
>
>
>HARE_KRISNA VIRUS INFORMATION
>                                                                               
>HARE.7610
>
>Virus Characteristics
>
>Hare.7610 is a destructive, memory resident, polymorphic,
>stealth, multi-
>partite virus. Hare.7610 infects .COM and .EXE files and the
>Master Boot Record (MBR) on hard disks and the boot
>sector on diskettes. 
>
>Upon infection, Hare.7610 becomes memory resident.
>Hare.7610 overwrites a portion of the MBR. Hare.7610
>infects .EXE and .COM files as they are executed and
>infects diskette boot sectors as they are accessed. 
>
>Indications of Infection
>
>The Hare.7610 is triggered on August 22 and September 22.
>On these dates, the following message is displayed: 
>
>                "?HDEuthanasia? by Demon Emperor: Hare
>Krsna, hare, hare" 
>
>Hare.7750 a variant of Hare.7610, displays the following
>message:
>
>                "HDEuthanasia-v2' by Demon Emperor: Hare
>Krsna, hare, hare"
>
>Hare.7786 another variant of Hare.7610, displays the
>following message:
>
>                "HDEuthanasia-v3' by Demon Emperor: Hare
>Krsna, hare, hare"
>
>In addition to the above message, the payload of Hare.7610
>results in an
>overwrite of the system hard disks. The data contained on
>the hard disks is destroyed during this process. 
>
>Infected files increase in size by approximately 7600-7800
>bytes. 
>
>Method of Infection
>
>Multi-partite viruses have two main routes of infection; either
>as a Master
>Boot Record/Boot Sector Virus or as a File Infecting Virus. 
>
>Most infections occur when a computer attempts to boot
>from an infected floppy diskette. The boot sector of the
>diskette has the code to determine if the diskette is
>bootable, and to display the "Non-system disk or disk error"
>message. It is this code that harbors the infection. By the
>time the non-system disk error message comes up, the
>infection has occurred.
>
>Once the virus is executed, it will infect the hard drive's MBR
>and may become memory resident.  With every subsequent
>boot, the virus will be loaded into memory and will attempt to
>infect floppy diskettes accessed by the machine.
>
>The second route of infection is by receiving an infected file
>through a
>multitude of sources including: floppy diskettes, downloads
>through an online service, network, modem connections,
>etc. Once the infected file is executed, the virus may
>activate. 
>
>Virus Information
>
>      Discovery Date: July, 1996
>
>      Origin:             Europe
>
>      Length            7610 Bytes
>
>      Type               Multi-partite Virus
>                                Memory Resident
>                                Stealth
>                                Polymorphic
>
>      Prevalence:  Common
>
>Variants
>
>      Hare.7750
>      Hare.7786
>
>Aliases
>
>      Krsna
>      HDEuthanasia 
>
>
>Delivery Priority: High Delivery Report: No Report
>Receipt Report: No Personal Categories: 
> 
>
>
>