Kode 4-2

Virus Name: Kode4-2

Virus Type: File Infector Virus (infects .COM files)

Virus Length: ABOUT 3000 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:
1) Searches for and infects all *.C* files in the current directory.
2) Then the following screen message will appear: "-=+ Kode4 +=-, The one and ONLY!"

Damage: Overwrites original files.

Detecting Method:
1)Check whether the message:"-=+ Kode4 +=- The one and ONLY!"showed on screen.

Note:
1) Doesn't stay resident in memory.
2) Kode4-2 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


K_Hate

Virus Name: K_Hate

Alias Name: K-Hate

Virus Type: File VIrus

Virus Length: 1,237 to 1,304 bytes

Description: This virus infectes *.COM files including COMMAND.COM.

When an infected file is executed, the virus will infect all *.COM files in the same directory. Infected files will experience a file length increase of 1,237 to 1,304 bytes with the virus located at the end of the file. Date and time information of infected files will not be altered.

The following text string can be found in the virus:

"CRYPT INFO"
"KDG 0,5 / Khntark3"
"*, K-HATE / Khntark*.COM"


Kampana.A

Virus Name: Kampana.A

Alias Name: Telecom Boot, Campa, Anti-Tel, Brasil

Virus Type: Boot Virus

Virus Length: N/A

Description: This virus infects boot sectors

Interrupt vectors hooked: INT 13h.

Infection method:
1) When the system is booted from an infected diskette, the virus loads itself in memory.
2) While loaded, it infects any accessed disks.
3) The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes.

Damage: After a number of reboots, the virus overwrites sectors of the hard disk.

Note:
1) If you attempt to examine the master boot record while the virus is loaded, it will display the original, uninfected version.


KeyKapture

Virus Name: KeyKapture

Alias Name: KeyKap, Hellspawn.1

Virus Type: File Virus

Virus Length: 1,074 bytes

Description: This virus infectes *.EXE files by creating a hidden *.COM file of the same name in the same directory.

When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 3,072 bytes.

Once the virus is memory resident, it will infect *.EXE when they are executed by creating a 1,074 byte *.COM file of the same name. The original *.EXE file will not be changed in any way. Infected systems may experience system hangs.

The following text string can be found in the virus:

"KKV.90 KeyKapture Virus v0.90 [Hellspawn-II] (c) 1994 by Stormbringer [PS]"


Kill COM

Virus Name: Killcom

Virus Type: File Infector Virus

Virus Length: 31648 Bytes

PC Vectors Hooked: None

Executing Procedure:
1) Look for "COMMAND.COM" in the current directory of "C:\".
2) If found, destroy this file. If not found, then create a "COMMAND.COM" file with 213 Bytes.

Damage: Destroys "COMMAND.COM" file in the current directory of "C:\".

Detecting Method: None.

Note:
1) Doesn't stay resident in memory.
2) Killcom doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


Kill Boot

Virus Name: Killboot

Virus Type: Trojan

Virus Length: 32000 Bytes

PC Vectors Hooked: None

Damage: Destroys all data in the BOOT SECTOR of "C:\" and "B:\", then shows a line of codes and the system halts.

Detecting Method: None.

Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition.


Kennedy

Virus Name: Kennedy

Other names: None

Virus Type: File Infector Virus

Virus Length: 333 bytes

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory it will infect any uninfected file that is executed.

Damage: Destroys the FAT.

Detecting Method:
1) On June 6th, November 8th, and November 22th, the virus will display the following message: "Kennedy is dead - long live the Dead Kennedys."
2) It then proceeds to destroy the FAT.

Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).


Klf-356

Virus Name: Klf-356

Virus Type: COM File infector

Virus Length: 356 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing.
3) If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 356 bytes.


Kiwi-550

Virus Name: Kiwi-550

Virus Type: EXE File infector

Virus Length: 550-570 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing.
3) If the program to be executed is an uninfected EXE file, the virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 550-570 bytes.


K

Virus Name: N1

Virus Type: COM File infector

Virus Length: 10230-10240 bytes

Executing Procedure:
1) Searches for an uninfected COM file in the current directory, then infects it (Infects only one file at a time).
2) It will then display the following message :"This File Has Been Infected By NUMBER One!"

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method:
1) Infected files will display the above message when executed.


Keypress-9

Virus Type : File Virus

Other Name :

Virus Length :

Virus Infect Type : COM & EXE files

Place of Origin :

Virus Memory Type :

Int. Vectors Hooked : Int 21h

Infection Procedure:

The virus infects COM and EXE files increasing their sizes by 2 kbytes. Hooking interrupt 21h. After the virus is executed, it waits for an EXE and/or COM files to infect. It infects all COM and EXE files except the COMMAND.COM. A message can be found to all infected files:

"This is an [ illegal copy ] of keypress virus remover"
"Systems Halted."
"Eternal Fair"
The virus doesn't reinfect if the file being executed is already infected.

 

 


Kaos4.A

Virus Type : File Virus

Virus Length :

Trigger Condition :

Place of Origin :

Virus Memory Type : Non Resident

Int. Vectors Hooked :

Infection Procedure:

The virus first sets the disk transfer area, 114C:0816h. Then it tries to infect COM and EXE files in the same directory and other directories specified in the PATH. It uses the Find First Match Directory Entry, there it infects all EXE and COM files. Then the Next Directory Entry, there it also infects all EXE and COM files. Then it sets the DTA again, 114C:0080h. Then displays the message stored in the virus code.

 


Karnavali.1972

Virus Type : File Virus

Other Name :

Virus Length :

Place of Origin :

Int. Vectors Hooked :

Infection Procedure:

First it gets the dos variables then it reads drive C: and writes it, FFFFh sectors to be read, 5945h starting sector, 139E:0889h memory address for data transfer. Then it tries to write 4 sectors to drive C:. After writing it, when an EXE or COM file is executed, it will never be infected. But after rebooting the computer, the system will hang. And the keyboard will be disabled.

 


Keypress-6

Virus Type : File Virus

Other Name :

Virus Length :

Place of Origin :

Virus Memory Type : High Memory Type

Int. Vectors Hooked : Int 21 & Int 1C

Infection Procedure:

First it saves the values of all the registers, then it loads itself to the high memory, 9FA3:100 loading 1216 bytes. Then it hooks Int 21h and Int 1Ch (Timer Tick Interrupt), sets a value, then returns the original values to the registers.

 


Kacz

Origin :

Eff Length : 4444 bytes

Type Code : Polymorphic File Virus

Symptoms :

EXE files increase by 4444 bytes and there is a decrease of 6144 bytes in the available memory. Infected files tend to display messages like : "Error Loading Program File", "File not Found", and "Memory Allocation Error."

General Comments:

On the first infection, KACZ first decrypts 4387 bytes of its code and then allocates 6144 bytes in the High Memory Area. It then transfers 4387 bytes of its code to that area. It then hooks INT 13 and INT 21. Then reads the Boot Record of the hard disk and tries to modify it. It writes the new infected Boot Record on the hard disk so every time it is used for booting up the virus will be resident.

This virus will infect all EXE files that are opened, renamed, or executed. It will also change the file's Second field to 62.

These messages are found in the decrypted virus code:

"Zrobione"
"Wersja"
"Kodowanie"
"Liczmik HD"
"K a c z,o r t e s t"