W32/KRIZ.3862 (W32/KRIZ.4092, W32/KRIZ.4050)

This polymorphic virus infects portable executable (PE EXE) files on Windows 95/98 and NT. When a user executes an infected file, the virus stays resident in memory until the next time the system is rebooted. The virus leaves only a small random decryptor. It infects files as they are opened by any application while it is in memory (including an anti-virus scan).

The virus also attempts to erase the computer’s CMOS as well as disk sectors when an infected file is run on December 25. It also attempts to flash the BIOS-if successful, the computer will not boot, even from a floppy. In some cases, the virus corrupts the infected file making cleaning of it impossible.

The virus infects KERNEL.DLL. When it does, it replaces the original contents with its own. Because of this the file CANNOT be repaired, it must be replaced.

Finally, the virus code contains a profane poem, which is never displayed nor used in any of the routines it runs.

Indications of Infection:

Existence of file KRIZED.TT6 after executing infected file on clean system.

Method of Infection:

When first run on a non-infected system, the virus checks KERNEL32.DLL to see if it’s infected. If it isn’t infected the virus copies KERNEL32.DLL to WINDOWS\SYSTEM\KRIZED.TT6 and then infects this local copy. The virus then creates the file WINDOWS\WININIT.INI containing the following lines:

The infected copy of KERNEL32.DLL hooks the following functions:

Cleaning the KRIZ virus with Command AntiVirus:
The user must boot into DOS from a floppy disk and run the DOS version of F-Prot. You can make a non-bootable F-Prot virus cleaning disk by (make certain you have the latest virus definition files) copying the below files onto a floppy (these files can be found in the Command AntiVirus folder):

• f-prot.exe
• english.tx1
• sign.def
• sign2.def
• nomacro.def (once this file has been copied rename it to "macro.def"