Printer Friendly Page

Discovered: February 01, 1999
Updated: February 13, 2007 11:34:23 AM
Also Known As: Win32.Kenston.1895, W95/Kenston.1895, Win95/Kenston, Haha

W95.Kenston is a virus that infects PE (portable executable) files under Windows 9x. It is not memory-resident.

Antivirus Protection Dates

  • Initial Rapid Release version February 03, 1999
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version February 03, 1999
  • Latest Daily Certified version September 28, 2010 revision 036

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

When an infected file is executed, W95.Kenston does the following:

First, the virus decrypts itself. Next, it searches memory for Kernel32.dll functions. The virus then searches through all folders and subfolders on the hard disk, beginning at the root. It appends itself to the end of the host file and infects only those files that have an .exe file extension. Infected files grow in size by 1895 bytes, but their time and date stamp do not change.

W95.Kenston does not display any messages or produce any malicious side effects. While the virus is executing, it infects only one file in each folder. It marks a byte in the header of infected files so that it does not reinfect them.


Run LiveUpdate to make sure that you have the most recent virus definitions.

  1. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
  2. Run a full system scan.
  3. If any files are detected as infected by W95.Kenston, click Repair.

Writeup By: Wason Han