For Home

Virus Profile: W32/Kriz.3863

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/16/1999
Date Added: 8/16/1999
Origin: N/A
Length: N/A
Type: Virus
Subtype: Win32
DAT Required: 4116
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of file KRIZED.TT6 after executing infected file on a non-infected system.

Methods of Infection

When first run on a clean machine, the virus checks KERNEL32.DLL to see if it is infected, if yes then the virus exits. If KERNEL32.DLL is not infected then the virus copies KERNEL32.DLL to WINDOWS\SYSTEM\KRIZED.TT6 and then the virus infects this local copy. The virus then creates the file WINDOWS\WININIT.INI containing the lines :-

[rename]
C:\WINDOWS\SYSTEM\KERNEL32.DLL=C:\WINDOWS\SYSTEM\KRIZED.TT6

This causes windows to replace KERNEL32.DLL with the infected copy when the system is next re-started.

In the infected copy of KERNEL32.DLL the virus hooks the following functions :-

CopyFileA, CopyFileW, CreateFileA, CreateFileW, CreateProcessA, CreateProcessW, DeleteFileA, DeleteFileW, GetFileAttributesA, GetFileAttributesW, MoveFileA, MoveFileW, MoveFileExA, MoveFileExW, SetFileAttributesA, SetFileAttributesW

This causes any PE executable file that is run, copied, moved or scanned to be infected by the virus.

Aliases

Kriz, PE_Kriz.4050, W32.Kriz, W95/Kriz.4029.kernel, W95/Kriz.4050.kernel, Win32.Kriz.4050
   

Virus Characteristics

Update January 16, 2001:
DAT 4116 contains cleaning capability for infected KERNEL32.DLL, given that engine 4.0.70 is used. DAT 4039 introduced detection for W32/Kriz.

Update December 19, 2000:
This virus contains a dangerous hard drive and CMOS overwriting procedure which can activate on December 25. The following user types are at risk:

Anyone who:
* does not run Antivirus software
* runs Antivirus software but has not updated both the engine and DAT files to current versions
* runs Antivirus software but does not use the on-access / real-time scanner

This is Windows 95/98 and NT virus that infects PE EXE files. It is also polymorphic. When an infected file is executed, this virus will stay resident in memory until the next time the system is rebooted. This virus encrypts its code, leaving only a small random decryptor. This virus will infect files as they are opened by any application while it is in memory. This will occur when a user scans files as well.

The virus also has a payload which activates when an infected file is run on December 25th. When it does it will attempt To erase the computer's CMOS information, which contains information such as date and time, and the type of hard disk the computer uses. This virus will also attempt to directly erase disk sectors. It will attempt to flash the BIOS with garbage. This only works on certain types of BIOSes. If this succeeds, the computer will not boot. This is similar to the action taken by the CIH virus. If the virus is successful the computer will not boot up, not even from a floppy disk. In some cases the virus will corrupt the file it infects and cleaning may not be possible.

This virus will infect kernel32.dll. When it does, it replaces the original contents with its own. Because of this the file can NOT be repaired, it must be replaced.

This virus code also contains a poem that contains quite a bit of profanity. It is never displayed, nor is it used in any of the routines it runs.

Variants

Variants information
Virus Name Type Subtype Differences
W32/Kriz.4029 Virus Win32 Minor difference in size of polymorphism.
W32/Kriz.4050 Virus Win32 Minor differences in size of polymorphism.
W32/Kriz.4270 Virus Win32 Infection body size difference.
   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.