W32.Karimex


Aliases: Virus.Win32.HLLW.Karimex, Win32.HLLW.Karimex, Worm/Karimex, Win32/Karimex 
Variants: W32/Kotef.worm, Troj/Kotef-A, Win32/HLLW.Kotef, TROJ_KOTEF.A, Win32.HLLW.Kotef.A 

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: Asia, North America, Europe
Removal: Hard
Platform: W32
Discovered: 29 Oct 2002
Damage: Medium

Characteristics: The malware W32.Karimex is prepending virus that infects randomly chosen executable files it can locate in the infected system’s current folder. This virus writes its malicious code to victim files in 2 ways. One is by moving the code from the beginning of the victim file to the end and writing its very own malicious code to the created space. The second way is by adding the victim file’s code to the virus’ own code.

More details about W32.Karimex

When executed in the compromised machine, the W32.Karimex will display a message with 2 buttons. If users click on the message’s right button while the system date is set to the 22nd, a message containing the khdo0905@dreamwiz.com’ string will appear. The virus will also create a VBS and DAT file which are files that are not malicious. On the other hand, if users click on the left button, a graphic display with Korean characters will appear. This virus will also create a file that is nonviral and will place it in the same location where the virus is located. This file will have the .vir file extension and the same name as the W32.Karimex virus.

This virus is likewise capable of randomly choosing several executable files and then prepending its viral body to the host files. The viral body is around 32,767 bytes. The virus will then append the string ‘TTF’ to the host file’s last section. It can also re-infect the same files it has infected since the virus does not have the ability to determine if it has infected a file or not. In the event that a file infected by the W32.Karimex virus executes, users will see a message stating that a file in the system has been corrupted and users would need to reinstall it again. Files infected by the virus do not have the capability to infect other files.