K-4B Virus


 Virus Name:  K-4B 
 Aliases: 
 V Status:    Rare 
 Discovered:  June, 1993 
 Symptoms:    .COM file growth 
 Origin:      Sweden or The Netherlands 
 Eff Length:  687 Bytes 
 Type Code:   PRfCK - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, ViruScan, IBMAV, Sweep, AVTK, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The K-4B virus was submitted in June, 1993, and is from either 
       Sweden or The Netherlands.  K-4B is a memory resident virus, though 
       it infects via direct action.  The memory resident portion of the 
       virus contains some code to make it resistant to the use of debuggers 
       to analyse the virus. 
 
       When the first K-4B virus infected program is executed, the K-4B 
       virus will install some code in available free memory, hooking 
       interrupt 03.  This code is not used for the virus to replicate, but 
       rather to thwart analysing the virus.  The virus will then infect 
       one .COM program in the current directory.  Later, when the user 
       executes another K-4B infected program, the code is not reinstalled 
       in memory, but another .COM program is infected. 
 
       Programs infected with the K-4B virus will have a file length 
       increase of 687 bytes with the virus being located at the end of 
       the file.  The program's date and time will not be altered.  The 
       following text strings are encrypted within the K-4B virus: 
 
               "EAF0FF00F0" 
               "*.COM" 
               "????????COM?" 
 
       K-4B doesn't appear to do anything interesting other than its 
       anti-debugger code. 
 
       See:   K-4C   Kohntark

Show viruses from discovered during that infect .

Main Page