Kela Virus


 Virus Name:  Kela 
 Aliases:     Kela.1171 
 V Status:    New 
 Discovered:  July, 1995 
 Symptoms:    .COM & .EXE growth; DOS CHKDSK file allocation errors; 
              decrease in total system & available free memory; 
              file date/time seconds = "62" 
 Origin:      Unknown 
 Eff Length:  1,171 Bytes 
 Type Code:   PRtAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, VAlert, ViruScan, NAV, NAVDX, Sweep, 
                    IBMAV, ChAV, 
                    AVTK/N, Sweep/N, NShld, NAV/N, IBMAV/N, NProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Kela or Kela.1171 virus was received in July, 1995, along with 
       several variants of this virus.  This virus is a memory resident, 
       semi-stealth virus which infects .COM and .EXE files, including 
       COMMAND.COM.  Its origin or point of isolation is unknown. 
 
       When the first kela infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, moving interrupt 12's return.  Total system 
       and available free memory, as indicated by the DOS CHKDSK program 
       from DOS 5.0, will have decreased by 3,072 bytes.  Interrupts 21 and 
       22 will be hooked by the virus in memory. 
 
       Once the Kela virus is memory resident, it will infect .COM and 
       .EXE files when they are executed.  Infected files will have a file 
       length increase of 1,171 bytes, though this file length increase 
       will be hidden when the virus is memory resident.  The virus will 
       be located at the end of the file.  The program's date and time in 
       the DOS disk directory listing will not appear to be altered, though 
       the seconds field will have been set to "62".  The following 
       text string is visible within the viral code in all infected files: 
 
           "KELA" 
 
       The DOS CHKDSK program will indicate file allocation errors on all 
       infected files when the virus is memory resident. 
 
       Known variant(s) of Kela are: 
       Kela.823: Also received in July, 1995, this is an 823 byte 
           variant of the Kela virus described above.  Its size in memory 
           is 3,072 bytes, hooking interrupts 21 and 22.  Once resident, 
           it will infect .COM files, but not COMMAND.COM, when they are 
           executed.  Infected files will have a file length increase of 
           823 bytes, though this file length increase will be hidden by 
           the virus when it is memory resident.  The virus will be 
           located at the end of the file.  The program's date and time in 
           the DOS disk directory listing will not appear to be altered, 
           though the seconds field will have been set to "62".  The 
           following text string is visible within the viral code: 
           "KELA lives Don KR. 1992" 
           The DOS CHKDSK program will indicate file allocation errors on 
           all infected files when the virus is memory resident. 
           Origin:  Unknown  July, 1995. 
       Kela.1735: Also received in July, 1995, this is a 1,735 byte 
           variant of the Kela virus described above.  It also becomes 
           memory resident at the top of system memory but below the 640K 
           DOS boundary, but does not moving interrupt 12's return. 
           Available free memory, as indicated by the DOS CHKDSK program 
           from DOS 5.0, will have decreased by 2,048 bytes, hooking 
           interrupts 21 and 22.  Once resident, it infects .COM and .EXE 
           files when executed or opened, but not on copy.  It adds 1,735 
           bytes to their length, though the file length increase will be 
           hidden when the virus is memory resident.  The virus will be 
           located at the end of the file.  The program's date and time in 
           the DOS disk directory listing will not appear be altered, though 
           the seconds field will have been set to "62".  The following 
           text strings are visible within the viral code: 
           "AIDSTEST" 
           "KELA-9 lives all times 1992-93" 
           "Alien" 
           The DOS CHKDSK program will indicate file allocation errors on 
           all infected files when the virus is memory resident. 
           Origin:  Unknown  July, 1995. 
       Kela.1904: Also received in July, 1995, this is a 1,904 byte 
           variant of the Kela virus described above.  It also becomes 
           memory resident in a manner similar to Kela.1735, though its size 
           in memory is 2,224 bytes, hooking interrupts 21 and 22.  Once 
           resident, it infects .COM and .EXE files when executed or opened, 
           but not on copy.  It adds 1,904 bytes to their length, though the 
           file length increase will be hidden when the virus is memory 
           resident.  The virus will be located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered, though the seconds field will have 
           been set to "62".  The following text strings are visible 
           within the viral code: 
           "Kela" 
           "COMEXE" 
           The DOS CHKDSK program will indicate file allocation errors on 
           all infected files when the virus is memory resident. 
           Origin:  Unknown  July, 1995. 
       Kela.2018: Received in December, 1996, this is a 2,018 byte 
           variant of the Kela virus described above.  It also becomes 
           memory resident in a manner similar to Kela.1735, though its size 
           in memory is 2,320 bytes, hooking interrupt 21.  Once resident, 
           it infects .COM and .EXE files when executed or opened, but not 
           on copy.  It adds 2,018 bytes to their length, though the file 
           length increase will be hidden when the virus is memory resident. 
           The virus will be located at the end of the file.  The program's 
           date and time in the DOS disk directory listing will not appear 
           to be altered, though the seconds field will have been set to 
           "62".  No text strings are visible within the viral code. 
           The DOS CHKDSK program will indicate file allocation errors on 
           all infected files when the virus is memory resident. 
           Origin:  Unknown  December, 1996. 
       Kela.2520: Also received in July, 1995, this is a 2,520 byte 
           variant of the Kela virus described above.  It also becomes 
           memory resident in a manner similar to Kela.1735, though its size 
           in memory is 2,832 bytes, hooking interrupt 21.  Once resident, 
           it infects .COM and .EXE files when executed or opened, but not 
           on copy.  It adds 2,520 bytes to their length, though the file 
           length increase will be hidden when the virus is memory resident. 
           The virus will be located at the end of the file.  The program's 
           date and time in the DOS disk directory listing will not appear 
           to be altered, though the seconds field will have been set to 
           "62".  No text strings are visible within the viral code. 
           The DOS CHKDSK program will indicate file allocation errors on 
           all infected files when the virus is memory resident.  This 
           variant will also disinfect programs as they are read into 
           memory, so any attempt to view a file with the virus memory 
           resident will result in an uninfected copy of the file being 
           shown. 
           Origin:  Unknown  July, 1995. 
       Kela.2530: Also received in July, 1995, this is a 2,530 byte 
           variant of the Kela virus described above.  It also becomes 
           memory resident in a manner similar to Kela.1735, though its size 
           in memory is 2,928 bytes, hooking interrupts 08, 21, and 22. 
           Once resident, it infects .COM and .EXE files when executed or 
           opened, but not on copy.  It adds 2,530 bytes to their length, 
           though the file length increase will be hidden when the virus is 
           memory resident.  The virus will be located at the end of the 
           file.  The program's date and time in the DOS disk directory 
           listing will not appear to be altered, though the seconds field 
           will have been set to "62".  No text strings are visible within 
           the viral code.   The DOS CHKDSK program will indicate file 
           allocation errors on all infected files when the virus is memory 
           resident.  This variant will also disinfect programs as they are 
           read into memory, so any attempt to view a file with the virus 
           memory resident will result in an uninfected copy of the file 
           being shown. 
           Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page