Virus Name: Kode4-2 Virus Type: File Infector Virus (infects .COM files) Virus Length: ABOUT 3000 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) Searches for and infects all *.C* files in the current directory. 2) Then the following screen message will appear: "-=+ Kode4 +=-, The one and ONLY!" Damage: Overwrites original files. Detecting Method: 1)Check whether the message:"-=+ Kode4 +=- The one and ONLY!"showed on screen.
Note: 1) Doesn't stay resident in memory. 2) Kode4-2 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: K_Hate Alias Name: K-Hate Virus Type: File VIrus Virus Length: 1,237 to 1,304 bytes Description: This virus infectes *.COM files including COMMAND.COM. When an infected file is executed, the virus will infect all *.COM files in the same directory. Infected files will experience a file length increase of 1,237 to 1,304 bytes with the virus located at the end of the file. Date and time information of infected files will not be altered. The following text string can be found in the virus: "CRYPT INFO" "KDG 0,5 / Khntark3" "*, K-HATE / Khntark*.COM"
Virus Name: Kampana.A Alias Name: Telecom Boot, Campa, Anti-Tel, Brasil Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors Interrupt vectors hooked: INT 13h. Infection method: 1) When the system is booted from an infected diskette, the virus loads itself in memory. 2) While loaded, it infects any accessed disks. 3) The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes. Damage: After a number of reboots, the virus overwrites sectors of the hard disk. Note: 1) If you attempt to examine the master boot record while the virus is loaded, it will display the original, uninfected version.
Virus Name: KeyKapture Alias Name: KeyKap, Hellspawn.1 Virus Type: File Virus Virus Length: 1,074 bytes Description: This virus infectes *.EXE files by creating a hidden *.COM file of the same name in the same directory. When an infected file is executed, the virus installs itself into memory. Total available memory will decrease by 3,072 bytes. Once the virus is memory resident, it will infect *.EXE when they are executed by creating a 1,074 byte *.COM file of the same name. The original *.EXE file will not be changed in any way. Infected systems may experience system hangs. The following text string can be found in the virus: "KKV.90 KeyKapture Virus v0.90 [Hellspawn-II] (c) 1994 by Stormbringer [PS]"
Virus Name: Killcom Virus Type: File Infector Virus Virus Length: 31648 Bytes
PC Vectors Hooked: None Executing Procedure: 1) Look for "COMMAND.COM" in the current directory of "C:\". 2) If found, destroy this file. If not found, then create a "COMMAND.COM" file with 213 Bytes. Damage: Destroys "COMMAND.COM" file in the current directory of "C:\". Detecting Method: None. Note: 1) Doesn't stay resident in memory. 2) Killcom doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).
Virus Name: Killboot Virus Type: Trojan Virus Length: 32000 Bytes
PC Vectors Hooked: None
Damage: Destroys all data in the BOOT SECTOR of "C:\" and "B:\", then shows a line of codes and the system halts. Detecting Method: None.
Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition.
Virus Name: Kennedy Other names: None Virus Type: File Infector Virus Virus Length: 333 bytes Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory it will infect any uninfected file that is executed. Damage: Destroys the FAT. Detecting Method: 1) On June 6th, November 8th, and November 22th, the virus will display the following message: "Kennedy is dead - long live the Dead Kennedys." 2) It then proceeds to destroy the FAT. Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: Klf-356 Virus Type: COM File infector Virus Length: 356 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. 3) If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 356 bytes.
Virus Name: Kiwi-550 Virus Type: EXE File infector Virus Length: 550-570 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. 3) If the program to be executed is an uninfected EXE file, the virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 550-570 bytes.
Virus Name: N1 Virus Type: COM File infector Virus Length: 10230-10240 bytes Executing Procedure: 1) Searches for an uninfected COM file in the current directory, then infects it (Infects only one file at a time). 2) It will then display the following message :"This File Has Been Infected By NUMBER One!" Damage: None Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: 1) Infected files will display the above message when executed.
Virus Type : File Virus
Other Name :
Virus Length :
Virus Infect Type : COM & EXE files
Place of Origin :
Virus Memory Type :
Int. Vectors Hooked : Int 21h
Infection Procedure:
The virus infects COM and EXE files increasing their sizes by 2 kbytes. Hooking interrupt 21h. After the virus is executed, it waits for an EXE and/or COM files to infect. It infects all COM and EXE files except the COMMAND.COM. A message can be found to all infected files:
"This is an [ illegal copy ] of keypress virus remover" "Systems Halted." "Eternal Fair" The virus doesn't reinfect if the file being executed is already infected.
Trigger Condition :
Virus Memory Type : Non Resident
Int. Vectors Hooked :
The virus first sets the disk transfer area, 114C:0816h. Then it tries to infect COM and EXE files in the same directory and other directories specified in the PATH. It uses the Find First Match Directory Entry, there it infects all EXE and COM files. Then the Next Directory Entry, there it also infects all EXE and COM files. Then it sets the DTA again, 114C:0080h. Then displays the message stored in the virus code.
First it gets the dos variables then it reads drive C: and writes it, FFFFh sectors to be read, 5945h starting sector, 139E:0889h memory address for data transfer. Then it tries to write 4 sectors to drive C:. After writing it, when an EXE or COM file is executed, it will never be infected. But after rebooting the computer, the system will hang. And the keyboard will be disabled.
Virus Memory Type : High Memory Type
Int. Vectors Hooked : Int 21 & Int 1C
First it saves the values of all the registers, then it loads itself to the high memory, 9FA3:100 loading 1216 bytes. Then it hooks Int 21h and Int 1Ch (Timer Tick Interrupt), sets a value, then returns the original values to the registers.
Origin :
Eff Length : 4444 bytes
Type Code : Polymorphic File Virus
Symptoms :
EXE files increase by 4444 bytes and there is a decrease of 6144 bytes in the available memory. Infected files tend to display messages like : "Error Loading Program File", "File not Found", and "Memory Allocation Error."
General Comments:
On the first infection, KACZ first decrypts 4387 bytes of its code and then allocates 6144 bytes in the High Memory Area. It then transfers 4387 bytes of its code to that area. It then hooks INT 13 and INT 21. Then reads the Boot Record of the hard disk and tries to modify it. It writes the new infected Boot Record on the hard disk so every time it is used for booting up the virus will be resident.
This virus will infect all EXE files that are opened, renamed, or executed. It will also change the file's Second field to 62.
These messages are found in the decrypted virus code:
"Zrobione" "Wersja" "Kodowanie" "Liczmik HD" "K a c z,o r t e s t"