Win32.Kriz
--------------------------------------------------------------------------------
It is a memory resident polymorphic Windows virus. It replicates under
Windows32 systems and infects PE EXE files (Windows executable) with EXE
and SCR filename extensions, as well as the Windows KERNEL32.DLL system library
that allows the virus to stay memory resident during a whole Windows
session. The virus in infected KERNEL32.DLL hooks files access functions,
intercepts file copying, opening, moving, e.t.c. and infects files that are
accessed.
The virus checks file names and does not infect several anti-virus program
files:
_AVP32.EXE, _AVPM.EXE, ALERTSVC.EXE,
AMON.EXE, AVP32.EXE, AVPM.EXE,
N32SCANW.EXE, NAVAPSVC.EXE,
NAVAPW32.EXE, NAVLU32.EXE, NAVRUNR.EXE,
NAVWNT.EXE, NOD32.EXE, NPSSVC.EXE,
NSCHEDNT.EXE, NSPLUGIN.EXE, SCAN.EXE,
SMSS.EXE
The virus has an extremely dangerous payload that is activated on December
25th. On this day when infecting any file (i.e. when they are accessed by any
of the
Windows functions listed below), the virus "kills" information stored
in CMOS memory, overwrites data in all files on all available drives, and then
messes-up the
Flash BIOS by using the same routine that was found in the
"Win95.CIH" virus (aka
When an infected file is run, the virus' polymorphic decryption loop takes
control and restores the virus code back to its original form. The virus then
scans the
Windows32 kernel, gets addresses of necessary Windows functions and calls the
KERNEL32 infection routine.
While infecting a file the virus creates a new file section at the end of the
file, encrypts and writes its code to there. To separate infected and not yet
infected
files the virus writes the "666" ID string to the PE file header
reserved field. The virus section has the "..." name.
While infecting the KERNEL32.DLL module the virus also patches its Export table
(exported functions) and modifies several functions' addresses so, that on next
Windows
startup the calls to KERNEL32 function will be filtered by virus hookers. That
allows the virus to monitor file access calls.
The virus hooks 16 KERNEL32 functions - file opening, copying, deleting,
reading/writing file attributes, creating a new process. The complete list of
hooked functions
looks as follows:
CopyFileA CopyFileW
CreateFileA CreateFileW
DeleteFileA DeleteFileW
MoveFileA MoveFileExA MoveFileW
MoveFileExW
GetFileAttributesA SetFileAttributesW
SetFileAttributesA SetFileAttributesExA
CreateProcessA CreateProcessW
To infect the KERNEL32.DLL file that can be opened in read-only mode only, the
virus uses a standard trick. It copies this file with temporary name (this copy
has KRIZED.TT6
name and it is created in the Windows system directory), infects it and writes
"rename" instruction to the WININIT.INI file. This trick allows the
virus to infect the copy of
KERNEL32.DLL and force Windows to replace the original KERNEL32.DLL with
infected copy on next startup.
The virus contains internal text strings that are not used in any way:
=( [c] 1999 [t] )=
YOU CALL IT RELIGION, YOU'RE FULL OF
SHIT
YOU NEVER KNEW, YOU NEVER DID, YOU NEVER
WILL
YOU'RE SO FULL OF SHIT, I DON'T WANT TO
HEAR IT
ALL YOU DO IS TALK ABOUT YOURSELF
I DON'T WANNA HEAR IT, COZ I KNOW NONE
OF IT'S TRUE
I'M SICK AND TIRED OF ALL YOUR GODDAMN
LIES
LIES IN THE NAME OF GOD
WHEN ARE YOU GOING TO REALIZE THAT I
DON'T WANT TO HEAR IT?!
I KNOW YOU'RE SO FULL OF SHIT, SO SHUT
YOUR FUCKING MOUTH
YOU KEEP ON TALKING, TALKING EVERYDAY
FIRST YOU'RE TELLING STORIES, THEN
YOU'RE TELLING LIES
WHEN THE FUCK ARE YOU GOING TO REALIZE
THAT I DON'T WANT TO HEAR IT!!
AH, SHUT THE FUCK UP...
Kriz.3862
This virus version is very closely related to the original one and differs only
by additional programming tricks, another "copyright" text string:
(c) T2 & Immortal Riot
and an improved disk erasing routine: in addition to erasing CMOS, Flash and
files on logical drives this virus enumerates all available network drives
and erases all files on them. While erasing files the virus truncates them and
overwrites them with the "DEAD BEEF" hexadecimal string (DEADBEEFh).
Kriz.4029
This virus version is very closely related to the previous one
("Kriz.3836"). The differences are: some routines were improved; the
destruction routine
is also activated if the SoftIce debugger is installed in the system; the
"copyright" text was also changed:
T-2000 / Immortal Riot
Text added: June-30-1999
New variant Win32.Kriz.3862: August-18-1999
More information about Kriz.3862 added: August-23-1999
Kriz.4029 desc. added: September-05-1999