Kriz

Threat description

Details

CATEGORYMalware
TYPEVirus

Summary

Kriz is a memory resident polymorphic virus. It replicates under Win32 systems and infects PE EXE files (portable executables) with EXE and SCR extensions. It also infects KERNEL32.DLL - Windows core library that allows the virus to always stay resident in memory.



Removal

It is advised to perform disinfection of Kriz using a free version of F-Prot for DOS or another DOS-based scanner. It is a requirement to perform disinfection from pure DOS.

ftp://ftp.europe.F-Secure.com/anti-virus/free/ ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/

All files infected by Kriz should be disinfected before Windows is started next time.

Technical Details

While infecting a file the virus creates a new section at the end of this file, encrypts and writes its code there. To identify already infected files the virus uses the '666' string that is written to a reserved area of PE header. Before infection the virus checks file names and does not infect programs with the following names:

 _AVP32.EXE, _AVPM.EXE, ALERTSVC.EXE, AMON.EXE, AVP32.EXE,  AVPM.EXE, N32SCANW.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVLU32.EXE,  NAVRUNR.EXE, NAVWNT.EXE, NOD32.EXE, NPSSVC.EXE, NSCHEDNT.EXE,  NSPLUGIN.EXE, SCAN.EXE, SMSS.EXE    

When infecting KERNEL32.DLL library the virus patches its Export Table (exported functions list) and modifies addresses of several functions so, that on next Windows startup all calls to these functions will be trapped by virus code. This allows the virus to monitor file access calls and to infect files that are accessed through these functions.

The virus traps 16 KERNEL32 functions - file opening, copying, deleting, quirying and changing file attributes, creating a new process and some others.

To infect KERNEL32.DLL library (that can be only opened in read-only mode when Windows is active) the virus copies it with a temporary name (this version of Kriz copies KERNEL32.DLL as KRIZED.TT6 to \Windows\System\ directory), infects it and then creates WININIT.INI file that will make Windows replace the original KERNEL32.DLL with infected copy during next startup.

The virus has a dangerous payload that is activated on December 25th. When infecting any file the virus kills CMOS memory, overwrites data in all files on all available hard drives and then tries to destroy Flash BIOS by using the same routine that the CIH (aka Chernobyl) virus has.

The virus has a rhyme inside that is never output to the screen.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info