There are 3 variants:
When the virus is loaded into memory, it hooks INT 21h to infect any executable that is run or accessed by FindFirst/Next FCB DOS function (DIR command) by writing itself to the end of the file.
The virus behaves stealthy but a size change is still observable due to its variable infection size in different files, infected files having the size few bytes longer.
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
Except that HXH.1680 cannot manifest itself at anyway, all these variants activate on February 19th.
Upon the first DIR file listing command, it plays a tune and displays the message in red background at the top of the screen:
HXH: Wherever,Long Live Our Friendship! Good Luck With You! My Friend. Yours Sincerly 6162910
It is noticeable that the firstly issued DIR command would have a slower response, as the virus is checking whether it should activate.
The virus displays the message and plays tune on the very first DIR command after infection, and then the payload will never activate unless all the infected files are cleared and infected with it again.
The only sample of HXH.1680 is believed to be corrupted. During an infection, due to some code which is required for the virus to write is missing, it might cause a system crash. Additionally, the codes of the payload section in the infected file are completely empty (filled with FFh), so it cannot manifest itself on the day of payload.