| Alias: | |
| Strain: | |
| detected when: | December 1991 |
| where: | British Columbia, Canada |
| Classification: | Program virus (COM&EXE infector, including COMMAND.COM), non |
| Length: | Infected file length: 10,000 bytes (exactly) |
Preconditions | |
| Operating System(s): | PC/MS-DOS |
| Version/Release: | Any? |
| Computer model(s): | Any IBM PC and compatibles? |
| Caroname: | HLLP.Halloween |
Attributes | |
| Easy identification: | 1) Significant file growth: 10 kByte (exactly). 2) Text "Happy HalloweenU" appears near start of infected programs. |
Type of Infection: | Virus infects COM & EXE programs in the current directory only, but only files with length >= 10,000 (2710h) bytes will be infected. Infection is done through prepending virus to EXE and COM files to be infected file. Date and time of infected file will match the original one's, however the file's position in the directory may change. |
| Infection Technique: | |
| Infection Trigger: | Execution of infected program. |
| Storage Media affected: | All |
| Interrupts hooked: | --- |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent/transient damage: On October 31 (Halloween), infected files will be truncated to 666 bytes and the message "All Gone Happy Halloween" will appear. |
| Damage Trigger: | October 31 (Halloween), any year since 1992. |
| Particularities: | 1) Search for uninfected files is proceeding from top directory, and each executable file is inspected for previous infection/length. 2) During infection, virus holds original code in a temporary file. Moreover, it traps the original file's return code for use when the virus terminates (possibly for tunneling). |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | On identification, virus may be removed from most programs (both COM & EXE) by simply stripping off the first 10k bytes. |
Acknowledgements | |
| Location: | Orlando/Florida, USA Virus Test Center, University Hamburg, |
| Classification by: | Padgett Patterson (USA), Klaus Brunnstein (VTC) |
| Documentation by: | Klaus Brunnstein (VTC) |
| Date: | 15-July-1992 |
| Information Source: | Padgett Patterson's report on Halloween virus |
(c) 1996 Virus-Test-Center, University of Hamburg