Kalah Virus


 Virus Name:  Kalah 
 Aliases: 
 V Status:    Rare 
 Discovered:  December, 1991 
 Symptoms:    .COM file growth 
 Origin:      Hamburg, Germany 
 Eff Length:  390 Bytes 
 Type Code:   PRCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, Sweep, AVTK, F-Prot, NAV, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Kalah virus was isolated in Hamburg, Germany, in December, 1991. 
       This virus is a memory resident infector of .COM files, including 
       COMMAND.COM. 
 
       The first time a program infected with Kalah is executed, the 
       Kalah virus will install itself memory resident in a "hole" in 
       very low system memory, hooking interrupt 21.  There will be no 
       decrease in available free memory or total system memory. 
 
       Once the Kalah virus is memory resident, it will infect .COM 
       programs, including COMMAND.COM, when they are executed.  Infected 
       files, with the exception of those with an original file length 
       of less than 390 bytes, will increase in size by 390 bytes.  If 
       the file's uninfected file length was less than 390 bytes, the 
       file's file length after infection will be 780 bytes.  The virus 
       will be located at the beginning of the infected file, and the 
       original first 390 characters of the file will have been moved to 
       the end of the infected file.  There will be no change to the 
       file's date and time in the DOS disk directory listing.  There are 
       no text strings visible in the Kalah virus code in infected files. 
 
       It appears Kalah doesn't do anything besides replicate. 
 
       Known variant(s) of Kalah are: 
       Kalah-499: Received in October, 1992, Kalah-499 is a non-resident 
                  version of the virus described above.  It infects two .COM 
                  programs each time an infected program is executed. 
                  Infected programs will have a file length increase of 499 
                  bytes with the virus being located at the beginning of the 
                  file.  In the case of .COM files which were originally 
                  smaller than 499 bytes in length, they will have a file 
                  length of 998 bytes after infection.  The file's date and 
                  time in the DOS disk directory listing will not be 
                  altered.  The following text string can be found in all 
                  Kalah-499 infected programs: 
                  "I don't like mondays ..." 
                  Kalah-499 contains code to low-level format the system 
                  hard disk when an infected program is executed on any 
                  Monday. 
                  Origin:  Unknown  October, 1992.

Show viruses from discovered during that infect .

Main Page