1. /
  2. Security Response/
  3. W32.Kriz

W32.Kriz - Removal

Risk Level 2: Low

Discovered:
August 11, 1999
Updated:
February 13, 2007 11:34:21 AM
Type:
Virus
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

If you have a computer that is infected with W32.Kriz, Symantec Security Response has developed a free tool to detect and remove this virus. The tool will not repair damage done by the virus once it has been activated on December 25. To run a Web-based scanner to detect the virus, and to download the tool, click here.

NOTE: If you are using Windows 2000/XP, the virus might replicate, but the payload will not be activated. To remove W32.Kriz under these operating systems, use the removal tool.


Manual removal instructions
If you cannot obtain the tool, or if you prefer to manually repair the damage done by this virus, you must do the following:
  • Obtain the most recent virus definitions.
  • Restart the computer to Command Prompt Only.
  • Run the Norton AntiVirus DOS scanner.
  • Extract a new copy of the Kernel32.dll file.

The details of each step follows.

NOTE: This will remove the virus and replace the copy of Kernel32.dll. It will not, of course, replace files that have been overwritten by the virus if it activates on December 25. In that situation, the overwritten files will have to be replaced from a recent backup.

To obtain the most recent virus definitions:
Make sure that you have the most recent virus definitions by running LiveUpdate or downloading the definitions. See one of the following documents: To restart the computer to Command Prompt Only:
  • Windows 95
    1. Exit all programs.
    2. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
    3. Click Shut Down, and then click OK.
    4. Click Yes to confirm the shutdown.
    5. Turn off the computer (if necessary) and wait 30 seconds.

      NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
    6. Turn on the computer.
    7. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
    8. Press the number that corresponds to Command Prompt Only, and then press Enter. The computer will start to a command prompt.
  • Windows 98
    1. Click Start, and click Run.
    2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
    3. Click Advanced on the General tab.
    4. Check Enable Startup Menu, click OK, and then click OK again.
    5. Exit all programs.
    6. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
    7. Click Shut Down, and then click OK.
    8. Click Yes to confirm the shut down.
    9. Turn off the computer and wait 30 seconds.

      NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
    10. Turn on the computer, and wait for the Windows 98 Startup menu.
    11. Press the number that corresponds to Command Prompt Only, and then press Enter. The computer will start to a command prompt.
      NOTE: (For Windows 98 users only) When you have finished removing the virus, you can disable the Startup menu if desired. To do so, return to this section, and follow these steps:
      1. Click Start, and click Run.
      2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
      3. Click the General tab, and then click Advanced.
      4. Uncheck Enable Startup Menu, click OK, and then click OK again.
      5. Restart the computer.
To run the Norton AntiVirus DOS scanner:
  1. At the C:\> prompt, type the following command, and then press Enter:

    dir /s /b \navdx.exe

    This displays the path to the Norton AntiVirus DOS scanner. If NAV is installed to a different drive, then change to the root of that drive first. The default is C:\Program Files\Norton AntiVirus.
  2. Change to the folder that contains Navdx.exe. You must use short file names. For example, if NAV is installed to C:\Program Files\Norton AntiVirus, then type the following:

    cd program~1\norton~1
  3. Type one of the following commands.

    CAUTION: This could take several hours or more on some computers. Do not attempt to stop the scan once it has started.

    NOTE: The DOS-based scanner can perform one of the following actions when it detects a virus:
    • To be prompted for any file that is detected as infected, type the following:

      navdx /a /doallfiles /prompt [Enter]

      You must press R)epair, D)elete or C)ontinue for each infected file. If you choose this option and NAV cannot repair an infected file, then you will see the message "Unable to repair the file," followed by the same three choices. In most cases you should then choose D)elete, unless you are sure that the file is not actually infected.
    • To delete any file that is detected as infected, type the following:

      navdx /a /doallfiles /delete [Enter]

      The disadvantage of this is that files that could be repaired will be deleted.
    • To repair any file that is detected as infected, type the following:

      navdx /a /doallfiles /repair [Enter]

      CAUTION: If NAV cannot repair a file and you choose this option, the file will be skipped. This means that infected files will still be on your system. If you choose this option, then you must run Navdx again, this time using the /delete switch, as shown in the previous example.
  4. When the scan has finished, proceed to the next section.

To extract a new copy of the Kernel32.dll file:
This is necessary because this file is critical to using your computer and has very likely been infected by the virus. You must use the Extract command at a DOS prompt to restore a good copy of this file from the Windows installation files.

There are two locations from which these files can be extracted:
  • The Windows installation files on your hard disk. On many newer computers, the .cab files that contain the Windows installation files are stored on the computer's hard disk. If you are sure that this is the case, then see the section To extract files from the hard disk.
  • The Microsoft Windows 95/98 installation CD. If the .cab files do not exist on the hard disk, then see the section To extract files from the installation CD.
NOTE: These instructions are provided for your convenience. The extraction of Windows files uses Microsoft programs and commands. Symantec does not provide warranty support for or assistance with Microsoft products.

To extract files from the hard disk:
  1. Type dir /s /b \Win98_31.cab and then press Enter. This displays the path to the Win98_31.cab file. If the file is not found, then it is likely that the .cab files are not on the hard disk. In that case, skip to the section To extract files from the installation CD.
  2. Change to the folder that contains the Win98_31.cab file.
  3. What you do next depends on which version of Windows you are running:

    NOTES:
      • If you see a message like "File not found" after entering any of the commands, verify that it was typed exactly as shown.
      • If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and press Enter.
      • If Windows is installed in a different location, then substitute the appropriate path.
    • If you are running Windows 98, type the following command:

      extract /a win98_31.cab kernel32.dll /L c:\windows\system [Enter]
    • If you are using Windows 95, then type the following command:

      extract /a win95_02.cab kernel32.dll /L c:\windows\system [Enter]

      If you do not see any error messages, then you are finished with the extraction process.
  4. Restart the computer, allow Windows to start, and then run a full system scan.

To extract files from the installation CD:

NOTES:
  • The instructions that follow are for the most widely distributed CD versions of Windows 95/98. There are, however, numerous versions, some of which were distributed on floppy disks. Each version may have the .cab files in a different location, or may have the necessary files in a different .cab file. It is beyond the scope of this document to include instructions for every version.
  • If you do not have the Windows installation CD for which the following commands were written, then you may need to change the command to the correct path for your version. You will also have to locate the .cab file that contains the file that you need to extract. For additional information, see the document Which cabinet files contain the original Windows files?
  1. Insert the Windows 98 Startup disk into the floppy disk drive.
  2. Insert the Windows 98 installation CD into the CD-ROM drive.
  3. Turn off the computer, and then wait thirty seconds. You must turn the power off; do not simply press the reset button.
  4. Turn on the computer. The computer boots to a startup menu.
  5. The default menu item is Start Computer with CD-ROM Support. Do not change this, but instead press Enter.
  6. Allow the computer to finish booting to an A:\> prompt. This could take a few minutes.
  7. The next step is to switch to the CD-ROM drive. Because you are using the Startup disk, the drive letter will be one letter greater than the drive letter that usually represents the CD-ROM drive. For example, if the CD-ROM drive is drive D in Windows, then it will be the E drive.

    Type the following, changing the drive letter as necessary, and then press Enter:

    e:\win9x (If the installation disk is for Window Me)

    or

    e:\win98 (If the installation disk is for Windows 98)

    or

    e:\win95 (If the installation disk is for Windows 95)

    If you see an error message, then try retyping the command with a different drive letter (for example, f:\win98)
  8. What you do next depends on which version of Windows you are running:

    NOTES:
      • If you see a message like "File not found" after entering any of the commands, then verify that you typed it exactly as shown.
      • If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
      • If Windows is installed in a different location, then substitute the appropriate path.
    • If you are running Windows Me, then type the following command and press Enter:

      extract /a win_10.cab kernel32.dll /L c:\windows\system
    • If you are running Windows 98, then type the following command and press Enter:

      extract /a win98_31.cab kernel32.dll /L c:\windows\system [Enter]
    • If you are using Windows 95, then type the following commands, and press Enter:

      extract /a win95_02.cab kernel32.dll /L c:\windows\system

      If you do not see any error messages, then you are finished with the extraction process.
  9. Restart the computer, allow Windows to start, and then run a full system scan.


Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver