Virus Profile: W32/Hezhi.b

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/15/2002
Date Added: 11/12/2002
Origin: Unknown
Length: Up to 12800 bytes
Type: Virus
Subtype: File Infector
DAT Required: 4204
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Increases in the size of .EXE files without the time/date stamp changing

Methods of Infection

This virus is a memory resident infector. Once an infected file is run on a host system, it will remain in memory and infect files throughout the system.


PE_HEZHI.A (Trend), W32.Hezhi (NAV), W32/Hezhi-A (Sophos), W32/Hezhy.A (F-Prot), Win32.Flagger (CA), Win32.Hezhi (AVP)

Virus Characteristics

This is a memory-resident file infector which utilizes encryption and polymorphic techniques. When a file is infected, the virus code is appended to the last section of the file and the file's entry point is modified to point to the virus code. Once the virus is in memory, it searches on the local machine for PE .EXE files to infect. At this point, merely right-clicking on a file will cause infection to occur.

In order to camouflage its actions, the virus does not change a file's time/date stamp.

This virus has a damaging payload, in that on the 20th of November, it will delete any .EXE files that it would normally infect, but which aren't also in memory.P>


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!