Virus Name: Kato
V Status: New
Discovered: February, 1995
Symptoms: .EXE file growth; decrease in available free memory
Eff Length: 1,569 - 1,583 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: F-Prot, IBMAV, AVTK, Sweep, ViruScan, NAV,
NAVDX, VAlert, ChAV,
NProt, IBMAV/N, AVTK/N, Sweep/N, NShld, NAV/N, Innoc 4.0+
Removal Instructions: Delete infected files
The Kato virus was received in February, 1995. Its origin or point
of isolation is unknown. Kato is a memory resident infector of .EXE
When the first Kato infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Total
available free memory, as indicated by the DOS CHKDSK program from
DOS 5.0, will have decreased by approximately 5,216 bytes. Interrupts
21 and 2F will be hooked by the virus in memory.
Once the Kato virus is memory resident, it will infect .EXE files
when they are executed. Infected .EXE files will have a file length
increase of 1,569 to 1,583 bytes with the virus being located at the
end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text string is
visible within the viral code in all infected programs:
"Mr. D ,Fuck DHWD from 048030, 048012670020 the worst..."
The following text string is encrypted within the viral code and is
not visible within infected programs:
"VIR MKS AV NV TB"
It is unknown what the Kato virus does besides replicate.