%%File: VIRS0497.TXT
%%Name/Aliases: KAOS4, Kaos 4, Sexotica
%%Platform: PC/MS-DOS
%%Type: Program., 
%%Disk Location: EXE application., COM application., COMMAND.COM
%%Features: Direct acting., Non stealth, Designed to avoid detection by 
heuristic scanners.
%%Damage: Interferes with a running application., No damage, only 
replicates.
%%Size: 697
%%See Also: Vienna
%%Notes: The KAOS 4 virus is a variant of the Vienna virus that has been 
extended to infect .EXE files as well as .COM files. The virus is direct 
acting, and randomly infects one .COM and one .EXE file every time it is 
run. It attacks COMMAND.COM first. On my machine, it seemed to prefer 
the \DOS and the \NU (norton) directories. The virus adds 697 bytes to 
the length of both .COM and .EXE files, the modification date of the 
files does not change. The following text is in the clear in the last 
sector of an infected file:   KAOS4 / Kšhntark.
For  *.COM files case,  When the file is less than 64K and if it does 
not start with E9??h ??20h , then the target *.COM file will be 
infected.
It is not detected by DataPhysician Plus 4.0D or SCANV116. A virus 
signature file is available from DDI named KAOS4.PRG that works with 
version 4.0C. There is a problem with using it with version 4.0D. load 
it into Virhunt by using the Options - E (user signature file) command 
and type the file name, or load it at startup with VIRHUNT 
USC:\DDI\KAOS4.PRG  (assuming that kaos4.prg is in your DDI directory on 
your C drive. Then run a normal scan. Virhunt will identify it as an 
"Unknown Virus". Virhunt can also apparently remove this virus from 
files using this virus signature file. 
The virus does not seem to have a payload, though while not 
intentionally damaging, infected systems become unbootable.
The next version of SCANV is also supposed to detect the virus (probably 
117).
The virus is not detected by ThunderBYTE.