F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Kriz





NAME:Kriz
ALIAS:Win32_Kriz, Win32.Kriz, W32/Kriz
TYPE:Resident EXE-files

Kriz is a memory resident polymorphic virus. It replicates under Win32 systems and infects PE EXE files (portable executables) with EXE and SCR extensions. It also infects KERNEL32.DLL - Windows core library that allows the virus to always stay resident in memory.

While infecting a file the virus creates a new section at the end of this file, encrypts and writes its code there. To identify already infected files the virus uses the '666' string that is written to a reserved area of PE header. Before infection the virus checks file names and does not infect programs with the following names: 

 _AVP32.EXE, _AVPM.EXE, ALERTSVC.EXE, AMON.EXE, AVP32.EXE,
 AVPM.EXE, N32SCANW.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVLU32.EXE,
 NAVRUNR.EXE, NAVWNT.EXE, NOD32.EXE, NPSSVC.EXE, NSCHEDNT.EXE,
 NSPLUGIN.EXE, SCAN.EXE, SMSS.EXE

When infecting KERNEL32.DLL library the virus patches its Export Table (exported functions list) and modifies addresses of several functions so, that on next Windows startup all calls to these functions will be trapped by virus code. This allows the virus to monitor file access calls and to infect files that are accessed through these functions.

The virus traps 16 KERNEL32 functions - file opening, copying, deleting, quirying and changing file attributes, creating a new process and some others.

To infect KERNEL32.DLL library (that can be only opened in read-only mode when Windows is active) the virus copies it with a temporary name (this version of Kriz copies KERNEL32.DLL as KRIZED.TT6 to \Windows\System\ directory), infects it and then creates WININIT.INI file that will make Windows replace the original KERNEL32.DLL with infected copy during next startup.

The virus has a dangerous payload that is activated on December 25th. When infecting any file the virus kills CMOS memory, overwrites data in all files on all available hard drives and then tries to destroy Flash BIOS by using the same routine that the CIH (aka Chernobyl) virus has.

The virus has a rhyme inside that is never output to the screen.

It is advised to perform disinfection of Kriz using a free version of F-Prot for DOS or another DOS-based scanner. It is a requirement to perform disinfection from pure DOS.

ftp://ftp.europe.F-Secure.com/anti-virus/free/ ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/

All files infected by Kriz should be disinfected before Windows is started next time.

[Analysis: Kaspersky Labs and F-Secure Virus Research Teams, 1998-2001]