Kato Virus


 Virus Name:  Kato 
 Aliases:    
 V Status:    New 
 Discovered:  February, 1995 
 Symptoms:    .EXE file growth; decrease in available free memory 
 Origin:      Unknown 
 Eff Length:  1,569 - 1,583 Bytes 
 Type Code:   PRhE - Parasitic Resident .EXE Infector 
 Detection Method:  F-Prot, IBMAV, AVTK, Sweep, ViruScan, NAV, 
                    NAVDX, VAlert, ChAV, 
                    NProt, IBMAV/N, AVTK/N, Sweep/N, NShld, NAV/N, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Kato virus was received in February, 1995.  Its origin or point 
       of isolation is unknown.  Kato is a memory resident infector of .EXE 
       files. 
 
       When the first Kato infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Total 
       available free memory, as indicated by the DOS CHKDSK program from 
       DOS 5.0, will have decreased by approximately 5,216 bytes.  Interrupts 
       21 and 2F will be hooked by the virus in memory. 
 
       Once the Kato virus is memory resident, it will infect .EXE files 
       when they are executed.  Infected .EXE files will have a file length 
       increase of 1,569 to 1,583 bytes with the virus being located at the 
       end of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered.  The following text string is 
       visible within the viral code in all infected programs: 
 
               "Mr. D  ,Fuck DHWD from 048030, 048012670020 the worst..." 
 
       The following text string is encrypted within the viral code and is 
       not visible within infected programs: 
 
               "VIR MKS AV NV TB" 
 
       It is unknown what the Kato virus does besides replicate.

Show viruses from discovered during that infect .

Main Page