W32.Kriz virus alert! (8/20/99)

Question

W32.Kriz virus alert! (8/20/99)

Answer

This question was answered on August 20, 1999. Much of the information contained herein may have changed since posting.

A potentially destructive variation of the Chernobyl virus strain has been discovered

This new strain, dubbed the W32.Kriz virus, is one of the more dangerous viruses because of its payload which can attack your computers BIOS (Basic Input Output System) chip The BIOS chip is what allows your computer to retain all relevent hardware settings when you shut down or startup the system One of the traits of this new strain is that it attacks the BIOS chip by "flashing" (re-programming) it with garbage code A computer that has its BIOS improperly flashed is usually rendered useless until the chip can be replaced This was first seen in the Chernobyl virus The chances of infection at this point are small, but if this strain infects your computer it will attempt to "flash" your BIOS when it sees the date of December 25th (Some joker's idea of a Christmas gift) The number of computers that can be affected by this strain is also increased because it can attack Windows 95/98 as well as Windows NT based systems (It does not infect MacOS based systems)

The technical details of this virus are as follows:

It is currently (8/99) rated between a rare and medium risk but could spread quickly because it infects every *.exe file that is run on an infected system This would allow it to infect those cutesy little animated programs that many people like to send as attachments to e-mail W32.Kriz infects Portable Executable (PE) Windows files The virus goes resident into memory, attempting to infect any files that are opened by the user or applications If infected with this virus, the user should verify they have "booted clean" before attempting to scan and repair files

The virus also modifies the KERNEL32.DLL This file must be replaced with a known, clean backup if it does become infected In addition, this virus may corrupt some PE files, requiring them to be replaced by known, clean backups (or from the installation package)

The first time the virus is executed on a system, it will create an infected copy of KERNEL32.DLL in the Windows system directory The file will be called KRIZED.TT6 If the user finds this file in their Windows system directory, it should be deleted The next time Windows is started, this file will be copied over the original KERNEL32.DLL

The virus then creates the file WINDOWS\WININIT.INI containing the lines :-

[rename]

C:\WINDOWS\SYSTEM\KERNEL32.DLL=C:\WINDOWS\SYSTEM\KRIZED.TT6

This causes windows to replace KERNEL32.DLL with the infected copy when the system is next re-started

In the infected copy of KERNEL32.DLL the virus hooks the following functions :-

CopyFileA

CopyFileW

CreateFileA

CreateFileW

CreateProcessA

CreateProcessW

DeleteFileA

DeleteFileW

GetFileAttributesA

GetFileAttributesW

MoveFileA

MoveFileW

MoveFileExA

MoveFileExW

SetFileAttributesA

SetFileAttributesW

This causes any PE executable file that is run, copied, moved or scanned to be infected by the virus

Mcafee and Norton anti-virus have both posted updates to their virus programs at the following sites:

Mcafee VirusScan http://download.mcafee.com/updates/updates.asp

Norton Anti-Virus http://www.symantec.com/avcenter/download.html

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on August 20, 1999