Kalah is a direct action file virus which infects COM files
found either in the current directory or in a randomly
selected directory on the path. The current directory is used
with a 1:4 chance. Path directories are selected one by one
(maximum of 7) with a 1:4 chance of being used, if there is
no path or there are no more directories to select from
then the root directory is used instead.
Files are infected by appending the first 499 bytes of the file,
and writing the virus at offset 0. If the file was smaller than
499 bytes it is first extended to 499 bytes by appending bytes from
the buffer that holds the beginning of the file.
The infection signature is the first 4 bytes of the file (50 E8
1F 00). Files larger than 65000 bytes will not be infected. Infection
doesn't change the last modification date of the file.
On Mondays virus displays a text saying 'I don't like mondays ...'
and formats the first 100 tracks under head 0 of the first
On exit from the virus, 496 bytes of the original file are copied
to the program base. The last 2 bytes are not copied into place
so the image of the original program is damaged when it is executed.