Threat Encyclopedia

PE_KAZE.3228

Malware type: File Infector

Aliases: Virus.Win32.Kaze.3228 (Kaspersky), W32/Kamik.ow (McAfee), W32.Kaze (Symantec), W32/Kaze.3228.A (Avira), W32/Kaze-B (Sophos), Virus:Win32/Kaze.3228 (Microsoft)

In the wild: No

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This virus attaches to all program files in the current directory (the directory where the virus has been executed). It has a destructive payload of overwriting all files in the Hard Drive C:\ with the text string, KAMIKAZE.

For additional information about this threat, see:

Description created: Jun. 26, 2002 10:00:00 AM GMT -0800
Description updated: Jun. 26, 2002 5:22:06 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 3,228 Bytes

Initial samples received on: Jun 26, 2002

Variant ofPE_KAZE.2056.A

Payload 1: Modifies Files (Overwrites these with the text string KAMIKAZE)

Trigger date 1: December 7

Trigger condition 1: System Date = December 7

Details:
Upon execution of this virus, it searches for the addresses of the following WIN32 Application Programming Interface (API) functions:

  • CloseHandle
  • CreateFileA
  • CreateFileMappingA
  • FindFirstFileA
  • FindNextFileA
  • FindClose
  • GetFileAttributesA
  • GetFileSize
  • GetLocalTime GetTickCount
  • MapViewOfFile
  • SetEndOfFile
  • SetFileAttributesA
  • SetFilePointer
  • UnmapViewOfFile
  • VirtualAlloc
  • VirtualFree
On the system date, December 7, it overwrites all files in the Drive C:\ with this text string:

KAMIKAZE

Then, it searches for EXE files in the current directory. To infect, it encrypts a portion of the original codes of the infected file and overwrites these with its virus body, together with the encrypted bodies of the target file.

Since file sizes of programs infected by this virus do not increase, most of the infected program files do not function properly because some portion of the unencrypted host body has been overwritten by the virus code.

The time stamp of infected program files are modified to the time of infection.

In addition, the virus checks for the signature 0xBA in the OEM I.D. entry (offset 0x24) in the MZ header to prevent re-infection of program files.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.306.00

Pattern release date: Jun 26, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files infected by PE_KAZE.3228. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.

If the virus has already triggered its payload, back up your important data immediately. The operating system will no longer reboot on its next startup as some system DLL files are overwritten by the virus.

Also, you will need to re-install the operating system again from start. Please ensure that the backup data and programs are not infected by scanning them with the latest control patch before use in the newly installed system.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Sosyal Ortam

Bizimle iletişim kurun