Virus Name: KeyKap
Aliases: KeyKap.1074, Spawn
V Status: New
Discovered: January, 1995
Symptoms: .COM files created; .BAT files may hang system when run;
decrease in available free memory (DOS 5.0)
Eff Length: 1,074 Bytes
Type Code: SRhE - Spawning/Companion Resident .EXE Infector
Detection Method: F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV, NAVDX,
VAlert, PCScan, ChAV,
AVTK/N, IBMAV/N, NShld, Sweep/N, NProt, NAV/N, LProt,
Removal Instructions: Delete hidden companion .COM files
The KeyKap, KeyKap.1074 or Spawn, virus was received in January,
1995. Its origin or point of isolation is unknown. KeyKap is a
memory resident companion or spawning virus which infects .EXE
files by creating a hidden companion .COM file.
When the first KeyKap infected program is executed, this virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, hooking interrupts 09, 13, and 21.
Total system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 3,072 bytes.
Once the KeyKap virus is memory resident, it will infect .EXE files
when they are executed by creating a companion, hidden .COM file
of 1,074 bytes. The .EXE files will not be altered, the companion
.COM files contain the viral code. The companion .COM files are
1,074 bytes in length and have the current system date and time in
the DOS disk directory. They are not visible in a DOS disk
directory listing as the Hidden attribute has been set. The
following text string can be found within the viral code in the
companion .COM files:
"KKV.90 KeyKapture Virus v0.90 [Hellspawn-II] (c) 1994
by Stormbringer [PS]"
Systems infected with this virus may hang when .BAT files are
Known variant(s) of KeyKap are:
KeyKap.1077: Also received in January, 1995, this is a 1,077
byte variant of the KeyKap virus described above. Its hidden
.COM files are 1,077 bytes in size. It contains the same
text string as the original virus.
Origin: Unknown January, 1995.