While infecting a file the virus creates a new section at the end of this file, encrypts and writes its code there. To identify already infected files the virus uses the '666' string that is written to a reserved area of PE header. Before infection the virus checks file names and does not infect programs with the following names:
_AVP32.EXE, _AVPM.EXE, ALERTSVC.EXE, AMON.EXE, AVP32.EXE,
AVPM.EXE, N32SCANW.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVLU32.EXE,
NAVRUNR.EXE, NAVWNT.EXE, NOD32.EXE, NPSSVC.EXE, NSCHEDNT.EXE,
NSPLUGIN.EXE, SCAN.EXE, SMSS.EXE
When infecting KERNEL32.DLL library the virus patches its Export Table (exported functions list) and modifies addresses of several functions so, that on next Windows startup all calls to these functions will be trapped by virus code. This allows the virus to monitor file access calls and to infect files that are accessed through these functions.
The virus traps 16 KERNEL32 functions - file opening, copying, deleting, quirying and changing file attributes, creating a new process and some others.
To infect KERNEL32.DLL library (that can be only opened in read-only mode when Windows is active) the virus copies it with a temporary name (this version of Kriz copies KERNEL32.DLL as KRIZED.TT6 to \Windows\System\ directory), infects it and then creates WININIT.INI file that will make Windows replace the original KERNEL32.DLL with infected copy during next startup.
The virus has a dangerous payload that is activated on December 25th. When infecting any file the virus kills CMOS memory, overwrites data in all files on all available hard drives and then tries to destroy Flash BIOS by using the same routine that the CIH (aka Chernobyl) virus has.
The virus has a rhyme inside that is never output to the screen.