%%File: VIRS0298.TXT %%Name/Aliases: Die Hard, DH2, Die_Hard. Diehard %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., COMMAND.COM %%Features: Encrypted, Stealth, Memory resident; TSR. %%Damage: Overwrites ASM and PAS files., Display messages %%Size: EXE and COM files grow by exactly 4000 bytes %%See Also: %%Notes: NOTE: This information is second-hand, and still preliminary] (from VIRUS-L newsletter v07i092.txt): Die_Hard is a resident fast infector of COM and EXE files. It is known to be in the wild in at least India, where it was found in September 1994. The virus stays resident in memory, decreasing the available DOS memory by 9232 bytes. Die Hard infects all executed or opened COM and EXE files. The files grow by exactly 4000 bytes. Die Hard has several layers of encryption. Once encrypted, the following text is found: SW DIE HARD 2 The encryption is not polymorphic, so the virus is quite easy to find. The virus maintains a generation counter, but it is currently not known if this information is used, or whether the virus has any activation routine at all. F-PROT 2.18e and up will detect and remove the virus. SCAN v. 224e will detect and remove it. Thunderbyte Antivirus v. 635 will detect and remove it. TBAV 6.26 and Normon Data Defense will detect it. VirHunt 4.0E does not detect it. Antiviral Toolkit Pro ver 2.1b by Eugene Kaparsky seems to clean it -- another method is: 1) Load the virus in the memory 2) Copy all infected files to another extension (e.g. .EXE to .999 and .COM to .998) and the virus will remove itself from the file 3) Warm boot the system with a clean bootstrap 4) Delete all infected files 5) Replace the COMMAND.COM file 6) Rename all files back to the correct extensions (see the earlier step) [Thi s note from a 1994 issue of VIRUS-L by Gerald Khoo] Update info. from VB, August 1995: The virus intercepts Int 21h, Int 10h, Int 08h, Int 13h, Int 24h, and Int 40h. The method used to hooking interrupts are unusual, the virus inserts itself into the chain of programs hooking interrupts. The virus hooks Int 21h on permanent bases. It has several trigger routines. On any Tuesday, which is the 3rd, 11th, 15th, and 28th day of the month, the virus calls the DOS function Write, and displays the following message: SW Error The second trigger routine writes strings into PAS and ASM source files. When infected PAS or ASM files are compiled, the compiled programs displays Chinese character on the screen which are from bytes D1h and A5h. The third trigger routine is executed after the virus generation is 15 and the current video mode is 13h. The screen displays 'SW" in large violet symbols. .