Virus Name: Kipa
V Status: New
Discovered: January, 1995
Symptoms: .COM & .EXE growth;
decrease in available free memory (DOS 5.0)
Eff Length: 1,084 - 1,098 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, AVTK, IBMAV, Sweep, ViruScan,
NAV, NAVDX, VAlert, PCScan, ChAV,
AVTK/N, IBMAV/N, Sweep/N, NShld, NAV/N, Innoc 4.0+
Removal Instructions: Delete infected files
The Kipa virus was received in January, 1995. It appears to be
from Moscow. Kipa is a memory resident infector of .COM and .EXE
files, including COMMAND.COM.
When the first Kipa infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Available
free memory, as indicated by the DOS 5.0 CHKDSK program, will have
decreased by approximately 2,064 bytes. Interrupt 21 will be hooked
by the virus in memory.
Once the Kipa virus is memory resident, it will infect .COM and .EXE
files, including COMMAND.COM, when they are executed. Infected
programs will have a file length increase of 1,084 to 1,098 bytes
with the virus being located at the end of the file. The file's
date and time in the DOS disk directory listing will not be altered.
The following text string is visible within the viral code in all
Kipa infected programs:
"The KIPA new Version 3.1 copyright (c) 1993 by
Sergey Hacker,Moscow;15 years old"
It is unknown what Kipa may do besides replicate.