HLLP.Termite.5000

Classification

Category :

Malware

Type :

-

Aliases :

HLLP.Termite.5000

Summary

HLLP.Termite.5000 is a DOS virus written in high level language. It is capable of spreading under DOS and DOS boxes of Windows 3.x, 95, 98 and NT.

The virus is 5000 bytes long and it is encrypted. It is not memory resident. The virus is a prepending one. It has a sequence of payloads described below.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Being run, the virus first tries to find and delete the following files:

anti-vir.dat
 chklist.ms
 chklist.cps
 vs.vsn
 ivb.ntz

This is done to prevent several integrity checkers from detecting modifications in files that virus performs.

After this the virus cleans the file it was executed from. The file is renamed and its original beginning is restored. After that the virus starts looking for COM and EXE files in directories listed in PATH variable.

If a COM or EXE file is found the virus reads 5000 bytes of file to memory and checks if the file is already infected (infected files contain 5000 bytes of virus code in the beginning). In this case the file is closed and the search goes on.

If a clean file is found the virus renames and then infects it by writing 5000 bytes of its encrypted code to file start. The original 5000 bytes of infected file are encrypted and written to the file end. Then the file is renamed back. The virus infects not only DOS but also Windows EXE files.

The file is not infected by virus if its name or extension starts with the following:

WIN DLL SPA MAN DRV SCR KRNL 386
 MSC COM EXP MOU GW GO STA USE GDI CON

The virus doesn't infect more than 20 files at a time to hide its presence, but nevertheless if it is run on slow system the perfomance dramatically decreases and the more files are infected, the bigger is delay before the virus passes control to the original program. The original file that was cured by the virus in the beginning is run using the "drive:\path\COMMAND.COM /C filename" command. After the original program terminates the virus re-infects the file and renames it back.

The attributes and time stamp of infected file doesn't change because the virus preserves them upon infection. The length of infected file is increased by 5000 bytes.

The virus has a nasty payload. Depending on its counters it sets 640x200 black and white mode and imitates movement of lots of small insects until a certain combination of keys is pressed. Then depending on other counters the virus outputs many 'faces' (ASCII 0x2) and a message:

 Oops! I've got such terrible munchies. TERMiTE v1.0 RAiD[SLAM]

Then the virus deletes all files matching the following masks:

 *.MP? *.GIF *.JPG *.DOC *.HLP (space)*.*

The virus was first reported in Africa.