Kamikaze
Kamikaze
Type File virus
Creator BlackArt
Date Discovered 2002.03.23
Place of Origin Chile
Source Language
Platform MS Windows
File Type(s) .exe
Infection Length 2,056 bytes
Reported Costs

Kamikaze also known as Kaze, Zikam, and Ezaki, is a small family of malicious viruses that appeared in 2002. Though relatively simple, being non-resident and unencrypted, it has the very destructive effect of overwriting files on certain dates. A few variants will do this on the anniversary of the attack on Pearl Harbor.

Behavior

When a file infected with Kamikaze is executed, it enumerates the files in the current working directory. The virus checks for the marker "�BA�" at offset 24h relative to the start of the file, which indicates the file has already been infected, and avoids them. It then infects all uninfected files in that directory, appending itself to the file.

If an infected file is executed on the 22nd of any month, Kamikaze will overwrite all .exe files with the text "�KAMIKAZE�". The file size of the overwritten files stays the same. The following text can be found in the virus but it is never displayed:

Win32.Kamikaze.2056 by BlackArt
Win32.Kamikaze.2056 huh, huh, huh, huh.
Win32.Kamikaze.2056 by BlackArt
You have to take full responsibility for using this.

Variants

Kamikaze produced at least three variants of the original, which were mostly the same as the original.

Kamikaze.3228

This variant was discovered on the 26th of June in 2002. It is 3,228 bytes long. It checks for the presence of the value 0xBA to determine if a file has already been infected. If it is executed when the system clock says 7 December of any year, it will overwrite all .exe files with "KAMIKAZE". This variant avoids increasing the file size of infected programs by encrypting a part of the original codes of the infected file and overwrites these with its virus body, together with the encrypted bodies of the target file. This may cause the file to not run properly. It has the same text as Kamikaze.2056, except 2056 is replaced with 2338.

Kamikaze.4236

This variant appeared on the same day as Kamikaze.3228 and is its variant. It is functionally similar in nearly every way except for the file size. It has the same text as Kamikaze.2056, except 2056 is replaced with 4236.

Kamikaze.1538

This is the smallest member of the Kamikaze family. It is similar to the others with the exception of the text:

I AM KAMIKAZE
YOR COMPUTER FULL CRASH
FUCKE YOU

Name

The name Kamikaze comes from the Japanese word 神風, or "divine wind". Originally this referred to a typhoon that miraculously saved Japan from invasion by the Mongols, but later came to refer to the tokubetsu kōgeki tai (特別攻撃隊) or Special Attack Units who flew their planes into Allied ships. In spite of the trigger date being on the anniversary of the Pearl Harbor attack which occured early in the war, the Kamikaze-style attack did not become common until late in the war as Japan ran out of resources and skilled pilots. The first of this type attack during the war though was by the Allies, namely Polish officer Leopold Pamuła, in whose country it is known as "Taranowanie".

Most antivirus products refer to Kamikaze as simply "Kaze". McAfee refers to it as Zikam, which is not too different from a line of cold and flu remedies. Microsoft and Sophos call it "Ezaki" which is part of the name of a Japanese manufacturer of several popular candies and snacks.

Origin

Kamikaze was coded by a virus writer named BlackArt. He is mentioned in a few virus e-zines, but little information about him or other works survives. BlackArt is also the name of a group the published viruses until late in 2005.

BlackArt himself appears to be from Chile though tracking him down may at first lead one to believe he is from Japan or Russia. His website in the middle of 2001 showed his email address at a computervirus.org domain. That domain belonged to the Computer Virus Research Center, which had a Japanese email address for the webmaster and later became a blog of mostly Japanese stories on Japan-centric and not always virus-related topics before disappearing in 2004. Around the time he published Kamikaze, he had a mail.ru email address.

Sources

Trend Micro, PE_KAZE.2056.A. 2002.03.29

Trend Micro, PE_KAZE.3228 2002.06.26

Trend Micro, PE_KAZE.4236. 2002.06.28

BlackArt's site as of 2006

Site with dead links to Kamikaze source code

First BlackArt Site

Computer Virus Research Center.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License