Symantec United States
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2008 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy
security updates

W32.Kriz

Category 2


W32.Kriz was first discovered in the Fall of 1999. The virus infects files on Windows 95/98 systems.

The virus has a dangerous payload that triggers on December 25 of any year. The payload is designed to overwrite files on the floppy disk, hard disk, RAM disk, and network drives. It also clears the information stored on the BIOS. This payload is similar to the W95.CIH virus.

In October 2000, Symantec Security Response received an increase in submissions of the virus. Symantec Security Response believes that the spread of W32.Kriz gained momentum when several widespread worms were infected by W32.Kriz and helped spread the virus.

 

Type: Virus
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

protection
  • Virus Definitions (LiveUpdate™ Weekly)

    • August 17, 1999

  • Virus Definitions (Intelligent Updater)

    • August 17, 1999

    threat assessment

    Wild

    Threat Metrics
    Medium High Low

    Wild:
    Medium

    Damage:
    High

    Distribution:
    Low

    Damage

    • Payload: If the system date is December 25th, the virus will attempt to flash the BIOS of the computer. This will prevent the computer from booting up properly and may require a change of hardware. Information stored in the CMOS will be cleared. So the date, time, hard drive and floppy drive settings, peripheral configuration, etc. will need to be restored. The virus will also begin overwriting files on all available drives. This includes mapped network drives, floppy drives and RAM disks. This payload is very similar to W95.CIH.

    technical details

    W32.Kriz is a Windows 95/98 virus. It infects Windows Portable Executable (PE) files. The virus resides in memory and attempts to infect any files that are opened by the user or by programs.

    NOTE: If you are using Windows 2000/XP, the virus might replicate, but the payload will not be activated.

    The virus also modifies the Kernel32.dll file so that it cannot be repaired. In addition, this virus may corrupt some PE files; if this happens, they must be replaced.

    The W32.Kriz virus also contains a payload that is executed on December 25 of any year.

    The first time the virus is executed on a computer, it creates an infected copy of Kernel32.dll in the \Windows\System folder. The file is named Krized.tt6. This file should be deleted if found.

    The next time Windows is started, this file is copied over the original Kernel32.dll. The virus infects other files when certain Windows API functions are called by a program.

    There are variants of this virus. Some of the differences between variants pertain to the payload. The 3863 variant accesses more types of drives when overwriting files. Other differences include the method of infection. The 3740 variant creates a new section named "…" and copies its viral code to that newly created section. The 3863 variant simply appends its code to the end of the last section.

    Currently, only the 3863 variant has been found in the wild. There is a 3863.b version of this virus. It is the same as the 3863 variant except that some of the unused text at the end of the virus has been corrupted.

    Payload
    If the system date is December 25, then the virus will attempt to flash the BIOS of the computer. This will prevent the computer from starting and may require a change of hardware. Information stored in the CMOS will be cleared, so the date, time, hard drive and floppy drive settings, peripheral configuration, and so forth will need to be restored. The virus also begins overwriting files on all available drives. This includes mapped network drives, floppy disks, and RAM disks. This payload is very similar to W95.CIH.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions

    If you have a computer that is infected with W32.Kriz, Symantec Security Response has developed a free tool to detect and remove this virus. The tool will not repair damage done by the virus once it has been activated on December 25. To run a Web-based scanner to detect the virus, and to download the tool, click here.

    NOTE: If you are using Windows 2000/XP, the virus might replicate, but the payload will not be activated. To remove W32.Kriz under these operating systems, use the removal tool.


    Manual removal instructions
    If you cannot obtain the tool, or if you prefer to manually repair the damage done by this virus, you must do the following:

    • Obtain the most recent virus definitions.
    • Restart the computer to Command Prompt Only.
    • Run the Norton AntiVirus DOS scanner.
    • Extract a new copy of the Kernel32.dll file.

    The details of each step follows.

    NOTE: This will remove the virus and replace the copy of Kernel32.dll. It will not, of course, replace files that have been overwritten by the virus if it activates on December 25. In that situation, the overwritten files will have to be replaced from a recent backup.

    To obtain the most recent virus definitions:
    Make sure that you have the most recent virus definitions by running LiveUpdate or downloading the definitions. See one of the following documents: To restart the computer to Command Prompt Only:
    • Windows 95
      1. Exit all programs.
      2. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
      3. Click Shut Down, and then click OK.
      4. Click Yes to confirm the shutdown.
      5. Turn off the computer (if necessary) and wait 30 seconds.

        NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
      6. Turn on the computer.
      7. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
      8. Press the number that corresponds to Command Prompt Only, and then press Enter. The computer will start to a command prompt.
    • Windows 98
      1. Click Start, and click Run.
      2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
      3. Click Advanced on the General tab.
      4. Check Enable Startup Menu, click OK, and then click OK again.
      5. Exit all programs.
      6. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
      7. Click Shut Down, and then click OK.
      8. Click Yes to confirm the shut down.
      9. Turn off the computer and wait 30 seconds.

        NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
      10. Turn on the computer, and wait for the Windows 98 Startup menu.
      11. Press the number that corresponds to Command Prompt Only, and then press Enter. The computer will start to a command prompt.
        NOTE: (For Windows 98 users only) When you have finished removing the virus, you can disable the Startup menu if desired. To do so, return to this section, and follow these steps:
        1. Click Start, and click Run.
        2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
        3. Click the General tab, and then click Advanced.
        4. Uncheck Enable Startup Menu, click OK, and then click OK again.
        5. Restart the computer.
    To run the Norton AntiVirus DOS scanner:
    1. At the C:\> prompt, type the following command, and then press Enter:

      dir /s /b \navdx.exe

      This displays the path to the Norton AntiVirus DOS scanner. If NAV is installed to a different drive, then change to the root of that drive first. The default is C:\Program Files\Norton AntiVirus.
    2. Change to the folder that contains Navdx.exe. You must use short file names. For example, if NAV is installed to C:\Program Files\Norton AntiVirus, then type the following:

      cd program~1\norton~1
    3. Type one of the following commands.

      CAUTION: This could take several hours or more on some computers. Do not attempt to stop the scan once it has started.

      NOTE: The DOS-based scanner can perform one of the following actions when it detects a virus:
      • To be prompted for any file that is detected as infected, type the following:

        navdx /a /doallfiles /prompt [Enter]

        You must press R)epair, D)elete or C)ontinue for each infected file. If you choose this option and NAV cannot repair an infected file, then you will see the message "Unable to repair the file," followed by the same three choices. In most cases you should then choose D)elete, unless you are sure that the file is not actually infected.
      • To delete any file that is detected as infected, type the following:

        navdx /a /doallfiles /delete [Enter]

        The disadvantage of this is that files that could be repaired will be deleted.
      • To repair any file that is detected as infected, type the following:

        navdx /a /doallfiles /repair [Enter]

        CAUTION: If NAV cannot repair a file and you choose this option, the file will be skipped. This means that infected files will still be on your system. If you choose this option, then you must run Navdx again, this time using the /delete switch, as shown in the previous example.
    4. When the scan has finished, proceed to the next section.

    To extract a new copy of the Kernel32.dll file:
    This is necessary because this file is critical to using your computer and has very likely been infected by the virus. You must use the Extract command at a DOS prompt to restore a good copy of this file from the Windows installation files.

    There are two locations from which these files can be extracted:
    • The Windows installation files on your hard disk. On many newer computers, the .cab files that contain the Windows installation files are stored on the computer's hard disk. If you are sure that this is the case, then see the section To extract files from the hard disk.
    • The Microsoft Windows 95/98 installation CD. If the .cab files do not exist on the hard disk, then see the section To extract files from the installation CD.
    NOTE: These instructions are provided for your convenience. The extraction of Windows files uses Microsoft programs and commands. Symantec does not provide warranty support for or assistance with Microsoft products.

    To extract files from the hard disk:
    1. Type dir /s /b \Win98_31.cab and then press Enter. This displays the path to the Win98_31.cab file. If the file is not found, then it is likely that the .cab files are not on the hard disk. In that case, skip to the section To extract files from the installation CD.
    2. Change to the folder that contains the Win98_31.cab file.
    3. What you do next depends on which version of Windows you are running:

      NOTES:
        • If you see a message like "File not found" after entering any of the commands, verify that it was typed exactly as shown.
        • If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and press Enter.
        • If Windows is installed in a different location, then substitute the appropriate path.
      • If you are running Windows 98, type the following command:

        extract /a win98_31.cab kernel32.dll /L c:\windows\system [Enter]
      • If you are using Windows 95, then type the following command:

        extract /a win95_02.cab kernel32.dll /L c:\windows\system [Enter]

        If you do not see any error messages, then you are finished with the extraction process.
    4. Restart the computer, allow Windows to start, and then run a full system scan.

    To extract files from the installation CD:

    NOTES:
    • The instructions that follow are for the most widely distributed CD versions of Windows 95/98. There are, however, numerous versions, some of which were distributed on floppy disks. Each version may have the .cab files in a different location, or may have the necessary files in a different .cab file. It is beyond the scope of this document to include instructions for every version.
    • If you do not have the Windows installation CD for which the following commands were written, then you may need to change the command to the correct path for your version. You will also have to locate the .cab file that contains the file that you need to extract. For additional information, see the document Which cabinet files contain the original Windows files?
    1. Insert the Windows 98 Startup disk into the floppy disk drive.
    2. Insert the Windows 98 installation CD into the CD-ROM drive.
    3. Turn off the computer, and then wait thirty seconds. You must turn the power off; do not simply press the reset button.
    4. Turn on the computer. The computer boots to a startup menu.
    5. The default menu item is Start Computer with CD-ROM Support. Do not change this, but instead press Enter.
    6. Allow the computer to finish booting to an A:\> prompt. This could take a few minutes.
    7. The next step is to switch to the CD-ROM drive. Because you are using the Startup disk, the drive letter will be one letter greater than the drive letter that usually represents the CD-ROM drive. For example, if the CD-ROM drive is drive D in Windows, then it will be the E drive.

      Type the following, changing the drive letter as necessary, and then press Enter:

      e:\win9x (If the installation disk is for Window Me)

      or

      e:\win98 (If the installation disk is for Windows 98)

      or

      e:\win95 (If the installation disk is for Windows 95)

      If you see an error message, then try retyping the command with a different drive letter (for example, f:\win98)
    8. What you do next depends on which version of Windows you are running:

      NOTES:
        • If you see a message like "File not found" after entering any of the commands, then verify that you typed it exactly as shown.
        • If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
        • If Windows is installed in a different location, then substitute the appropriate path.
      • If you are running Windows Me, then type the following command and press Enter:

        extract /a win_10.cab kernel32.dll /L c:\windows\system
      • If you are running Windows 98, then type the following command and press Enter:

        extract /a win98_31.cab kernel32.dll /L c:\windows\system [Enter]
      • If you are using Windows 95, then type the following commands, and press Enter:

        extract /a win95_02.cab kernel32.dll /L c:\windows\system

        If you do not see any error messages, then you are finished with the extraction process.
    9. Restart the computer, allow Windows to start, and then run a full system scan.


    Write-up by: Eric Chien