Kalah

GO TO: Summary | Removal | Technical Details

Classification

Category:

Malware

Type:

Virus

Platform:

-

Aliases:

Kalah

Summary

This virus does nothing but possibly display the message "VDV 91".

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Variant:499

Size:499

Other:COM-files, Non-resident

Repair:Yes

Kalah is a direct action file virus which infects COM files found either in the current directory or in a randomly selected directory on the path. The current directory is used with a 1:4 chance. Path directories are selected one by one (maximum of 7) with a 1:4 chance of being used, if there is no path or there are no more directories to select from then the root directory is used instead.

Files are infected by appending the first 499 bytes of the file, and writing the virus at offset 0. If the file was smaller than 499 bytes it is first extended to 499 bytes by appending bytes from the buffer that holds the beginning of the file.

The infection signature is the first 4 bytes of the file (50 E8 1F 00). Files larger than 65000 bytes will not be infected. Infection doesn't change the last modification date of the file.

On Mondays virus displays a text saying 'I don't like mondays ...' and formats the first 100 tracks under head 0 of the first hard disk.

On exit from the virus, 496 bytes of the original file are copied to the program base. The last 2 bytes are not copied into place so the image of the original program is damaged when it is executed.