K-4C Virus
Virus Name: K-4C
Aliases:
V Status: Rare
Discovered: June, 1993
Symptoms: .COM file growth
Origin: Sweden or The Netherlands
Eff Length: 737 Bytes
Type Code: PRfCK - Parasitic Resident .COM Infector
Detection Method: F-Prot, ViruScan, IBMAV, Sweep, AVTK, NAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, NProt, AVTK/N, IBMAV/N, Innoc, NAV/N,
LProt
Removal Instructions: Delete infected files
General Comments:
The K-4C virus was submitted in June, 1993, and is from either
Sweden or The Netherlands. K-4C is a memory resident virus, though
it infects via direct action. The memory resident portion of the
virus contains some code to make it resistant to the use of debuggers
to analyse the virus.
When the first K-4C virus infected program is executed, the K-4C
virus will install some code in available free memory, hooking
interrupt 03. This code is not used for the virus to replicate, but
rather to thwart analysing the virus. The virus will then infect up
to five .COM files in the current directory. Later, when the user
executes another K-4C infected program, the code is not reinstalled
in memory, but up to five more .COM programs are infected. The virus
will not infect more than sixteen files in a given directory.
Programs infected with the K-4C virus will have a file length
increase of 737 bytes with the virus being located at the end of
the file. The program's date and time will not be altered. The
following text strings are encrypted within the K-4C virus:
"K-4C VIRUS by K”hntark*.COM"
"????????COM"
K-4C is a later version of the K-4B virus.
See: K-4B Kohntark