Kriz

Classification

Malware

Virus

W32

Kriz, Win32_Kriz, Win32.Kriz, W32/Kriz

Summary

Kriz is a memory resident polymorphic virus. It replicates under Win32 systems and infects PE EXE files (portable executables) with EXE and SCR extensions. It also infects KERNEL32.DLL - Windows core library that allows the virus to always stay resident in memory.

Removal

It is advised to perform disinfection of Kriz using a free version of F-Prot for DOS or another DOS-based scanner. It is a requirement to perform disinfection from pure DOS.

ftp://ftp.europe.F-Secure.com/anti-virus/free/ ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/

All files infected by Kriz should be disinfected before Windows is started next time.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

While infecting a file the virus creates a new section at the end of this file, encrypts and writes its code there. To identify already infected files the virus uses the '666' string that is written to a reserved area of PE header. Before infection the virus checks file names and does not infect programs with the following names:

 _AVP32.EXE, _AVPM.EXE, ALERTSVC.EXE, AMON.EXE, AVP32.EXE,
AVPM.EXE, N32SCANW.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVLU32.EXE,
NAVRUNR.EXE, NAVWNT.EXE, NOD32.EXE, NPSSVC.EXE, NSCHEDNT.EXE,
NSPLUGIN.EXE, SCAN.EXE, SMSS.EXE

When infecting KERNEL32.DLL library the virus patches its Export Table (exported functions list) and modifies addresses of several functions so, that on next Windows startup all calls to these functions will be trapped by virus code. This allows the virus to monitor file access calls and to infect files that are accessed through these functions.

The virus traps 16 KERNEL32 functions - file opening, copying, deleting, quirying and changing file attributes, creating a new process and some others.

To infect KERNEL32.DLL library (that can be only opened in read-only mode when Windows is active) the virus copies it with a temporary name (this version of Kriz copies KERNEL32.DLL as KRIZED.TT6 to \Windows\System\ directory), infects it and then creates WININIT.INI file that will make Windows replace the original KERNEL32.DLL with infected copy during next startup.

The virus has a dangerous payload that is activated on December 25th. When infecting any file the virus kills CMOS memory, overwrites data in all files on all available hard drives and then tries to destroy Flash BIOS by using the same routine that the CIH (aka Chernobyl) virus has.

The virus has a rhyme inside that is never output to the screen.