PE_KAZE.4236

Malware type: File Infector

Aliases: W32.Kaze(Symantec), W32/Kaze-C(Sophos), Virus.Win32.Kaze.4236(Kaspersky), W32/Kaze.4236(Avira), W32/Kaze.4236(F-Prot), W32/Zikam.4236(McAfee)

In the wild: No

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This virus, a variant of PE_KAMIKAZE.3228 attaches to all program files in the current directory. It carries a destructive payload of overwriting all files on the infected system.

For additional information about this threat, see:

Description created: Jun. 26, 2002 10:00:00 AM GMT -0800
Description updated: Jun. 28, 2002 6:56:19 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 4,236 Bytes

Initial samples received on: Jun 26, 2002

Variant ofPE_KAZE.3228

Payload 1: Modifies Files (Overwrites these with the string, KAMIKAZE)

Trigger date 1: December 7

Trigger condition 1: System Date = December 7

Details:
This file infector, a new variant of PE_KAMIKAZE.3228, has metamorphic capability, making detection by antivirus software more difficult.

Upon execution, it searches for the addresses of the following WIN32 Application Programming Interface (API) functions:

  • CloseHandle
  • CreateFileA
  • CreateFileMappingA
  • FindFirstFileA
  • FindNextFileA
  • FindClose
  • GetFileAttributesA
  • GetFileSize
  • GetLocalTime
  • GetTickCount
  • MapViewOfFile
  • SetEndOfFile
  • SetFileAttributesA
  • SetFilePointer
  • UnmapViewOfFile
  • VirtualAlloc
  • VirtualFree
Then it checks the system time if it is December 7. When the system indicates that date, this virus overwrites all files in the Hard Drive C:\ with this string:

KAMIKAZE

Then, the virus searches for EXE files in the current directory. It infects by encrypting a portion of the original codes of the infected file and overwrites these with its own virus body, together with the encrypted bodies of the infected file.

Since file sizes of programs infected by this virus do not increase, most of the infected program files do not function properly because some portion of the unencrypted host body has been overwritten by the virus code.

The time stamp of infected program files are modified to the time of infection.

In addition, the virus checks for the signature, 0xBA, in the OEM I.D. entry (offset 0x24) in the MZ header to prevent re-infection of program files.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.306.00

Pattern release date: Jun 26, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files infected by PE_KAZE.3228. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.

If the virus has already triggered its payload, back up your important data immediately. The operating system will no longer reboot on its next startup as some system DLL files are overwritten by the virus.

Also, you will need to re-install the operating system again from start. Please ensure that the backup data and programs are not infected by scanning them with the latest control patch before use on the newly installed system.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.