Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Kenston

This is a non-resident virus attacking EXE files of PE type. The virus is encrypted by a simple algorithm with the use of XOR function with the key length of 1 byte. It imports addresses of the following functions: GetProcAdress, LoadLibraryA, FindFirstFileA, FindNextFileA, FindClose, SetFileAttributesA, SetFileTime, CreateFileA, ReadFile, WriteFile, SetFilePointer, CloseHandle and SetCurrentDirectoryA ,GetCurrentDirectoryA. After importing the suitable functions the virus looks for appropriate EXE files in specific subdirectories and attacks them. The virus marks already attacked files by writing the letter “a” on the offset 0x3B in EXE header. In the virus body are the following strings:

Boles and Manning are arrogant facists.
They have no computer sk1llz and KENSTON HIGH SCHOOL's
computers are 0wn3d. I AM BACK KOONS YOU MOTHERFUCKER
dowN wiTh KenSTON..... yOU tRIED tO rID yOUrSELf oF mE BefoRE
bUT fAILED
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.