Type File virus
Creator Gobleen Warrior
Date Discovered 19-APR-2001
Place of Origin Russia
Source Language C
Platform Linux
File Type(s) ELF
Infection Length 15,244 bytes

Kaiowas, also known as Kagob, is a Linux virus by Gobleen Warrior.


When an infected file is executed, Kaiowas calls fork() so the virus and host and viral code run as separate processes, copying the host code to a separate file and running it. It searches the current working directory and all subsequent directories for infectable ELF files. When it finds one, it expands the file's size by 15,244 bytes and shifts the original code down by that length. It then adds its own code to the free space at the beginning of the file.

The virus body contains the test string, which is never displayed: "Linux.Kaiowas by Gobleen Warrior//SMF". It has no malicious payload and does little more than spread.


Gobleen Warrior made an optimized version a day after the original. It is 16,176 bytes long. Appended blocks the original file is encrypted with a variable key, which are not contained in the viral code, but selected using four-byte block checksums when decrypting this block. These checksums are stored before the block they represent in the encrypted body of the original file.


Kaiowas was coded by Gobleen Warrior on the 19th of April 2001 in Russia using the C language. His Unix shell virus, Mollusc, appeared just a couple months earlier. It was Gobleen Warrior's first virus in the C Language. The code for the first version was unoptimized and in Gobleen Warrior's own words "clumsy". Not long after, he completed Kaiowas 1.1, an optimized version of the virus.

Its name comes from the Guarani-Kaiow√° tribe of South America. Kaiow√° was also a song by the Brazilian metal band Sepultura.


Gobleen Warrior. Kaiowas 1.0 Source code.

Gobleen Warrior. Kaiowas 1.1 Source code.

Kaspersky Lab, Virus.Linux.Kagob.a.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License