F-HARE - Scanner and disinfector for the Hare viruses
Copyright (c) 1996 Data Fellows Ltd

OVERVIEW

F-HARE will detect and disinfect the three known variants of the Hare
virus (also known as HDEuthanasia and Krsna). This document gives a
brief description of the Hare virus and explains how to use F-HARE to
detect and disinfect this virus.


ABOUT THE HARE VIRUS

Hare is one of an increasing number of viruses distributed via the
Internet, in the form of posts to Usenet News. On the 22nd of August
and the 22nd of September, members of the Hare virus family will
trigger, attempting to overwrite hard disks, floppy disks in drives A:
and B:.

Hare is a polymorphic, stealth, multi-partite virus. It is
memory-resident and infects .COM and .EXE files, MBRs of hard disks,
and floppy disk boot sectors. It is Windows 95 aware, enabling it to
infect both files and the boot sectors of floppy disks used from
Windows 95.

Known variants are Hare.7610, Hare.7750 and Hare.7786


SYMPTOMS

The symptoms of the Hare virus vary; under certain circumstances, it
can render the fixed disk unbootable, or hide the DOS partitions if
the system is booted from a clean system disk; it attempts to hide its
changes to the length of infected files. Alternately, there may be no
visible effect until the virus triggers. Since the symptoms can vary,
it is recommended that suspect PCs be scanned using the F-HARE
utility.

HOW TO USE F-HARE:

Run F-HARE with the drive letter of directory as a paramter. For example:

        F-HARE C:
        F-HARE Z:\USERS

F-HARE will first check memory and will tell you if the Hare virus is
in resident:

              "Scanning for Hare in memory - Infected!"

If you find the Hare virus in memory, please reboot your computer from
a clean write-protected system floppy diskette. This will ensure that the
Hare virus is not in memory.

Type F-HARE <drive parameter> to determine if your Master Boot Record
or any files are infected with the virus. If F-HARE finds the virus,
you will be notified. Then, type F-HARE <drive parameter> /disinf.

F-HARE will disinfect your Master Boot Record and infected files.

As detailed above, it is possible in some cases for the Hare virus to
cause the DOS partition to be inaccessible when booted from a clean
system disk. Do not worry, if this occurs, F-HARE can still remove the
virus from both your hard disk and from any infected files.

If F-HARE has found the HARE virus in your MBR, but you cannot see the DOS
partition of your fixed disk after booting from a floppy disk, take the
following steps to disinfect your machine fully:

1. Make sure you have booted from a clean write-protected system
   floppy diskette.

2. Type F-HARE c: /disinf

   F-HARE will remove the virus from the Master Boot Record.

   After the virus is removed from the Master Boot Record, you will
   see the message "virus removed" followed by the message "No hard
   disk found".

3. Simply reboot your computer again, from the clean write-protected
   floppy system diskette. You will now be able to see the C: drive.
   Once you can see it (by typing dir c:), type F-HARE c: /disinf to
   clean the virus from any files which may have become infected.


WHAT ABOUT FLOPPIES?

Since Hare can infect floppy diskettes, you will want to scan your floppy
diskettes as well. To do this, invoke F-HARE using the /MULTI switch
(eg F-HARE A: /MULTI).

--

Virus analysis based on information from Mikko Hypponen, Data Fellows
F-PROT Professional Support. F-HARE by Peter Szor, Data Fellows F-PROT
Professional Development. Documentation by Sarah Gordon, Command Software
F-PROT Professional Research and Development.

F-HARE is protected by international copyright laws. F-HARE is (c)
1996 Data Fellows Ltd, and it is not in public domain or freeware, but
you are free to use and share this software with no charges in
non-commercial private use. Use of this software in other environments
is not allowed in Europe, Asia and Africa without a license to F-PROT
Professional or a current license from Frisk Software International.
To purchase a license, contact your local distributor listed in
PRO.DOC. Please redistribute F-HARE only with this documentation. You
are not allowed to resell this software for your own profit (normal
copying costs excluded) or claim to hold rights to this software.
Although you may have the right to use F-HARE, it will remain the
exclusive property of Data Fellows. Data Fellows does not warrant that
the software is error free and we will not cover any costs created by
function or malfunction of this program. Data Fellows also disclaims
liability for possible consequential damages. If you cannot agree to
these restrictions, you should not use F-HARE.

Copyright (c) 1996 Data Fellows Ltd, Finland

                 Data Fellows Ltd
                 Paivantaite 8
                 FIN-02210 ESPOO
                 FINLAND
                 tel:    +358-0-478 444
                 fax:    +358-0-478 44 599
                 e-mail: F-PROT-Support@DataFellows.com
                 www:    http://www.DataFellows.com/