Threat description
This virus does nothing but possibly display the message "VDV 91".
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.
Variant:499
Size:499
Other:COM-files, Non-resident
Repair:Yes
Kalah is a direct action file virus which infects COM files found either in the current directory or in a randomly selected directory on the path. The current directory is used with a 1:4 chance. Path directories are selected one by one (maximum of 7) with a 1:4 chance of being used, if there is no path or there are no more directories to select from then the root directory is used instead.
Files are infected by appending the first 499 bytes of the file, and writing the virus at offset 0. If the file was smaller than 499 bytes it is first extended to 499 bytes by appending bytes from the buffer that holds the beginning of the file.
The infection signature is the first 4 bytes of the file (50 E8 1F 00). Files larger than 65000 bytes will not be infected. Infection doesn't change the last modification date of the file.
On Mondays virus displays a text saying 'I don't like mondays ...' and formats the first 100 tracks under head 0 of the first hard disk.
On exit from the virus, 496 bytes of the original file are copied to the program base. The last 2 bytes are not copied into place so the image of the original program is damaged when it is executed.
Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis
Give advice. Get advice. Share the knowledge on our free discussion forum.