Type File virus
Date Discovered JUL-2002
Place of Origin
Source Language
Platform MS Windows
File Type(s) .exe
Infection Length 2,048 bytes
Reported Costs

Valhalla, also known as Valla, Xorala, and Harmony is a 32-bit Windows Portable Executable infecting virus. It appeared in 2002 though its origins may be much earlier.


When a file infected with Valhalla is executed, it searches through the root of the system disk (usually C:\), Windows, and System folders for files. It also searches the directory it was executed from as well as its parent directory. For example, ig it is executed from the user's downloads folder, it will search that as well as the user's home folder. It randomly enters around 20% of the subdirectories of these directories and targets around 20% of the .exe files of these directories. It avoids directories beginning with a period.

Before infecting a file, Valhalla checks whether it is a Portable Executable and if it contaoins a section named "XOR", which marks a previous infection, and if so, avoids it. Otherwise, it appends its 2,048 bytes to the ends of the file. The PE header is modified so the viral code runs before the rest of the file. It also creates a section named XOR, which it uses to mark the file as infected. The file's timestamp will reflect the time of the infection.

The following text can be found in its code:

-= XOR 2009 Valhalla =- Assembled 1997 .. Activated 07.2002 - devoted for peace and harmony in universe against war, racism, terrorism and cruel brutality 
.. remember .. life is the most important thing - not money .. it's time for a revolution NOW ....


Text found in the code seems to suggest the virus was created as early as 1997 and "activated" (released?) in July of 2002. Symantec first received the virus in November of 2002, the earliest any still-existing records show this virus being on any antivirus company's radar. It has one functionally similar variant.


As Valhalla does little aside from spread, its impact was mimimal. It was first documented in the wild in July of 2003 and either the original or a variant was seen as late as September of 2008 and it seems to have disappeared after that.


Microsoft Security Intelligence, Win32/Valla. 11-APR-2006

F-Secure, Harmony.A.

Gor Nazaryan. Symantec Security Response, W32.Valla.2048. 13-FEB-2007

The WildList, July 2003.

The WildList, September 2008.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License