Hantaner
Hantaner
Type P2P File virus
Creator ErGrone
Date Discovered 2002.11.25
Place of Origin Santiago, Chile
Source Language Delphi
Platform MS Windows
File Type(s) .exe
Infection Length 24,064 bytes
Reported Costs

Hantaner, also known as Handy or EnerKaz is a file virus that has a method of spreading over the peer-to-peer file sharing network KaZaa. Aside from this fact, it is a relatively simple direct action infector with a few bugs.

Behavior

When a file infected with Hantaner is executed, it prepends its UPX-compressed code to all .exe files in the folder it was executed from. It makes no attempt to verify the files are actual .exes and will infect anything with that extension whethere it is an .exe, a blank text file mistakenly named with an .exe extension or a file for a totally different operating system that coincidentally uses an .exe extension. Infected files may sometimes be damaged and will not run. It uses a utility named "Joiner" to place the pieces of executable code together. The file for this utility will be in the Windows Temp folder and will have a file mame of "Joi(random characters)".

It obtains the location of the KaZaa share folder and Internet Explorer download folder from the registry. If it does not find it, it will not run any further. It stores two files, HANTA and 010101.dat in the Windows folder which it uses for temporary information storage. These files are deleted after the virus is finished with execution.

The following text can be found in the virus body, though it is never displayed on screen in any way:

HANTA-Vjoiner ,si que lo hice yo, ErGrone/GEDZAC los señoritos de PERU, en especial a Machado, que 
no tiene la educación necesariapara responder un E-Mail...y para los que se enojaron con CPL, jeje, paque
ocupan Hotmail!!!, teniendo miles de mailbox gratis y con mas espacio.....Falla la Heuristica y contra una
 técnica antigua JoJOjOO-Escrito en Delphi 6.

Translated roughly:

HANTA-Vjoiner, if I did it, ErGrone / GEDZAC ... That goes for the ones Of PER, especially Machado (Axe?), who
does not have the Education required to respond to an E-Mail. And for those who were angry with CPL, hehe, for
occupy Hotmail !!!, Having thousands of mailboxes free and with more space. The Heuristic and against a
T Old JojojOO-Written in Delphi 6!

Variants

There are three other variants of Hantaner, all of which are mostly similar to the original.

Origin and Name

Hantaner was coded by ErGrone while working with the Gedzac group in 2002. Ergrone lived in Santiago, Chile around the time he coded Hantaner. He was known for a few viruses and worms in the early 2000s. Hanta seems to be named after the Haantavirus. Though file-sharing and specifically KaZaa worms were somewhat common by the time Hantaner was released, though Hantaner is likely the first virus intentionally propogating through file sharing.

Sources

VSAntivirus, W32/Hantaner. Infecta todos los EXE compartidos en KaZaa. 2002.12.13

VSAntivirus, Infecta todos los EXE compartidos en KaZaa. 2002.12.13

Trend Micro, PE_HANTANER.A.

Panda Security, EnerKaz

Yana Liu. Symantec, W32.HLLP.Handy. 2007.02.13

Alcopaul. Brigada Ocho, Issue 1, Interview with Ergrone / GEDZAC.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License