Details
Keydrop
This is a nondangerous virus. It infects in a “Brain” way Boot-sectors of floppy disks during an access and MBR of the hard disk on a reboot from an infected floppy disk. The virus produces the “falling letters” effect (the code is copied from the “Cascade” virus). The virus hooks INT 13h and contains the text “(c) Copyright 1990 Keydrop inc.”.
Details
Keybug.980
It is not a dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed. The virus “jokes” with keyboard, and contains the text strings:
The Black Magician. Copyright (c) 1991
KEYBUG from The Black Magician
Details
Kerstin.923.a
It is a not dangerous nonmemory resident parasitic virus. It searches for .EXE files, then writes itself to the end of the file. On September, 16th it plays the “Happy Birthday” tune, decrypts and displays the message:
Kerstin.95b
Happy birthday Kerstin ! I’ll always be there 4 U. Contact me. In love A.
Details
Kerplunk.3059
This is a dangerous memory resident oligomorphic and stealth parasitic virus. It hooks INT 21h, and intercepts the 23 DOS function of file accessing, searching, memory allocation and others: AH=00h, 11h, 12h, 18h, 31h, 32h, 3Dh, 3Fh, 40h, 41h, 42h, 43h, 48h, 49h, 4Ah, 4Bh, 4Ch, 4Eh, 4Fh, 52h, 56h, 57h, 6Ch.
The virus writes itself to the end of COM and EXE files that are accessed. It also checks the file names, and does not summon the infection routine if a file name begins with: RA (RAV), FV (FV86/FV386), FI (FindVirus), NO (Nod-ICE), SC(McAfee Scan), VS (McAfee VShield), TB (ThunderByte Anti-Virus).
The virus disinfects an infected file when writing to them or loading for debugging. When WIN.COM is executed (Windows is starting), the virus disables its stealth routines as well as Windows’ 32-bit disk access (the virus appends the option “/d:c” to the end of command line). The virus also temporarily disables its stealth routines when several utilities are executed: ARJ, RAR, LHA, PKZIP, CHKDSK, HIT, BACKUP, MSBACKUP, TELIX, DEFRAG, SPEEDISK, UC.
If an IPX driver is detected, the virus accesses the Novell Network, and causes network faults. If the user name of the infected PC is SUPERVISOR, the virus summons Novell Netware functions to perform several actions in the network:
On Mondays, it sets SUPERVISOR privileges for GUEST login
From the 1st until the 4th of any month, it disables SUPERVISOR’s privileges.
If the current time is less than 9:00, it reboots the server
If the current time is less than 14:00, it cancels a randomly selected connection
On Sundays, it cancels the logging procedure.
If a user name is not SUPERVISOR:
It clears the screen on a Novell server
It sends a message to a randomly selected user on the network:
Permanent system error. Please hit the computer NOW!
The virus also contains the text:
Kerplunk coded by Virtual Daemon/SLAM
Details
Kernel.608
It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM files that are executed. On June, 8th it erases the hard drive sectors and halts the computer. It contains the word “KERNEL” and encrypted string:
Dedicated to tfe 13021 lost sheep. Please God, do help them.
Details
Kemerovo.a
These are dangerous nonmemory resident parasitic viruses. They search for .COM files of the current directory, then write themselves to the end of the file, and Jmp-Virus instructions (four bytes: XCHG AX,DX; JMP Loc_Virus) to the file header. Depending on the system timer these viruses might reboot the computer. They contain the string “.COM”. On an attempt to infect they open the files and might left them opened.
Details
Kelly.779
It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for .COM files, then writes itself to the end of the file. On Tuesdays 20th it hooks INT 1Ch and manifest itself by a video effect. The virus contains the text:
Just a messageall a simple message to put in a virus… argh…
what am I going to write here… yeah… maybe the name of the
virus, I am tired of those shitty names! Callme [Kelly]. OK?
Details
Kela Family
These are memory resident parasitic viruses. They hook INT 21h, and write themselves to the end of COM and EXE files that are accessed. Some of the major “Kela” versions are stealth viruses. The “Kela” viruses contain the following text strings:
“Kela.823″: KELA lives Don Kr. 1992
“Kela.1171″: KELA
“Kela.1735″: AIDSTEST KELA-9 lives all times 1992-93 Alien
“Kela.1904″: Kela
“Kela.2002″: KELA lives all times 1993 ver
“Kela.2010″: AIDSTEST KELA-10 lives all times 1992-93 Alien
“Kela.2122″: Eddie livesallsomewhere in time! (C) Dread Lord, 1993, 1994
Thanx to the Dark Avenger DDT — LAME ! FotD — RULEZ
“Kela.2163″: Eddie lives…somewhere in time!
Eddie 2 or Infinite Dreams virus by FotD
(C) Dread Lord, 1993, 1994
Thanx to the Dark Avenger DDT — LAME ! FotD — RULEZ
Some of the “Kela” viruses decrypt and display the following messages:
“Kela.690″: ? 䔡 èá_¡á_ - 4 KELA
“Kela.2099″: You Are Dead !! Ha Ha Ha KELA-16
“Kela.2530″: You Are Dead !! Ha Ha Ha KELA-15
“Kela.690″ is a dangerous virus. While executing, it copies itself to the address 9500:0100, and does not fix the MCB list that might halt the computer. That virus infects .COM files only.
“Kela.2010″ overwrites files with a string in Russian.
“Kela.2520″ also hooks INT 8 (timer), and manifests itself with a video effect: “drops” the letters.
Kela.Chigi
These are very dangerous viruses. “Chigi.2203″ also hooks INT 13h, and searches for the string “Adinf” in sectors being read. If this string is found, the virus overwrites this sector. This virus also contains the followingstring:
ChigiVarez Lives SomeWhere in Net …
“Chigi.2518″ on the 24th of any month, exchanges the addresses of INT 25h and INT 26h. This may corrupt data on the disks. The virus also displays a messages in Russian.
Details
Kein
It is a harmless memory resident boot virus. It hooks INT 13h and infects disk boot sectors that are accessed. The virus does not manifest itself in any way, it contains the text:
Kein System oder Laufwerksfehlr
Wechseln und Tast
Details
Keeper.Acid.694
These are memory resident parasitic viruses. They hook INT 21h and write themselves to the end of the files. “Keeper.Acid.694″, “Keeper.Enemy.644″ and “Keeper.Eleet.726″ infect EXE files that are executed, “Keeper.Massacre” infect both COM and EXE while accessing to these files.
These viruses contain the text strings:
“Keeper.Acid.694″: Crypt Keeper P/S
“Keeper.Eleet.726″: [ELEET] virus by Crypt Keeper
“Keeper.Enemy.644″: [Enemy Within] Crypt Keeper - Phalcon/Skism
“Keeper.Lurker.546″: [LURKER] Crypt Keeper
“Keeper.Massacre.742″: [MIDNIGHT MASSACRE] by Crypt Keeper EXECOM
“Keeper.Massacre.775″: [MIDNIGHT MASSACRE] V1.2 by Crypt Keeper EXECOM
Depending on the system time:
“Keeper.Acid.694″ displays the message:
Your PC is on an [Acid Trip]all Try again later…
“Keeper.Massacre” delete the files instead of infecting them.
Keeper.China.777
It is a dangerous nonmemory resident parasitic virus. It searches for .COM files (except COMMAND.COM), then writes itself to the beginning of the file. At 1p.m. (13:00) the virus erases the disk sectors. It contains the encrypted text strings:
*.COM
COMMAND.COM
The China Syndrome Version 1.00a Written by : Crypt Keeper
Well, I guess you found the sectors… You got a warning…
This program was written in the city of Cincinnati. Non-destructive
version -A-
l8r d00d.
Keeper.Ellet.726
It also hooks INT 29h and depending on the system time replaces the symbols that are displayed by INT 29h. The symbols from the first line are replaced with the corresponding symbols from the next line:
cdegiklnostvxzCDEFGHIJKOSTUVWX
(>3G!K1N0$+V%Z[>3fgh!jk0$+uvw%
Keeper.Fly.1036, Joker.1080
These are dangerous memory resident parasitic viruses. They copy themselves to the top of the system memory, but do not correct MCB list. As a result the computer might halt. Then the viruses hook INT 21h and returns to the host program. On accessing to any file the viruses search for .COM files (except COMMAND.COM, IBMBIO.COM, IBMDOS.COM) and infect them.
"Keeper.Fly.1036":
It is encrypted virus. It writes itself to the beginning of the file. While infecting that virus encrypts the host file. Then the virus searches and overwrites the files:
SCAN.EXE CLEAN.EXE NAV.EXE CPAV.EXE TBSCAN.EXE F-PROT.EXE FLUSHOT3.COM
with the program that displays when executed:
Not enough memory.
Depending on the current time the virus displays:
[The Fly] Version 1.00 by Crypt Keeper
Be afraid… Be very afraid…
“Keeper.Joker.1080″:
It writes itself to the end of the files. Depending on the system time it displays one of the messages:
You have the Joker ]I[ virus by Crypt Keeper [Joker 3]
Please insert tractor-feed toilet paper into printer
Impotence error causing erection at port adress 3E2 IRQ 5
This program requires Microsoft Windows.
Computer hungry : Insert 5-1/4 inch HAMBURGER in drive A:
Missing Light Magenta/Olive ribbon in printer.
Not enough memory.
Packed file corrupt.
Bad command or file name
Bad or missing command interpreter.
Details
KcVirus.1238
It is a dangerous memory resident stealth parasitic virus. It hooks INT 20h, 21h, 27h and writes itself to the end of COM files (except COMMAND.COM) that are being searched. The virus writes at random position in BAS files (Basic source files) the text:
KC-VIRUS
Details
Kbrflags.1024
It is not a dangerous memory resident parasitic virus. It hooks INT 8, 21h, and intercepts DOS functions execute, read and write. On these calls the virus searches for EXE files of current directory and writes itself to the end of the file. Sometimes it changes the keyboard flags.
Details
KbrError.1268
It is a dangerous nonmemory resident parasitic virus. It searches for .COM files (except COMMAND.COM) and writes itself to the end of the file. Before infecting the virus writes a random number of NOP commands to the end of the file, as a result the file length is increased by a random value. Depending on the system time the virus displays the message:
KeyBoard Error all
then it corrupts keyboard buffer and reboots computer. It also contains the text string:
COMMAND.COM
UFO
Details
KbrBug.895
These are harmless memory resident encrypted parasitic viruses. They hook INT 1, 3, 1Ch, ACh and write themselves to the end of COM (except COMMAND.COM), EXE and OVL files. The viruses make a patch of original INT 21h handler - they insert interrupt call ACh into original INT 21h code, and set INT ACh vector to the address of the virus body.
These viruses do not infect the files for a few days after infection of the system. Periodically they call the trigger routine that jokes with the keyboard by changing the keyboard buffer address and filling the buffer with a “dust”.
“KbrBug.895″ is not such complex: it hooks only INT 1Ch, 21h and does not infect EXE files. Sometimes this virus exchanges the digits ‘0′ to ‘9′ on the screen.
“KbrBug.2662″ also hooks INT 8, 10h and manifests itself with some video effects.
Details
Kazanir.768
It is a harmless memory resident parasitic virus. It hooks INT 21h and while executing any file the virus searches for .COM files, then writes itself to the end of the files that are found. The virus contains the text strings:
Her zaman iyiler K A Z A N I R ! Dogruluktan A Y R I L M A !
*.com
Version:
DenemE
ZEKVIR Virusu (c) 1 9 9 5 ASPARAGUS ™ INTELLIGENT
i.U iSLETME FAK.EXTERNAL - 3 0 4 AVCILAR/ i S T