Discovered: August 11, 1999
Updated: February 13, 2007 11:34:21 AM
Type: Virus
Systems Affected: Windows


W32.Kriz was first discovered in the Fall of 1999. The virus infects files on Windows 95/98 systems.

The virus has a dangerous payload that triggers on December 25 of any year. The payload is designed to overwrite files on the floppy disk, hard disk, RAM disk, and network drives. It also clears the information stored on the BIOS. This payload is similar to the W95.CIH virus.

In October 2000, Symantec Security Response received an increase in submissions of the virus. Symantec Security Response believes that the spread of W32.Kriz gained momentum when several widespread worms were infected by W32.Kriz and helped spread the virus.


Antivirus Protection Dates

  • Initial Rapid Release version August 17, 1999
  • Latest Rapid Release version May 01, 2018 revision 002
  • Initial Daily Certified version August 17, 1999
  • Latest Daily Certified version May 01, 2018 revision 007
  • Initial Weekly Certified release date August 17, 1999

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Eric Chien

Discovered: August 11, 1999
Updated: February 13, 2007 11:34:21 AM
Type: Virus
Systems Affected: Windows


W32.Kriz is a Windows 95/98 virus. It infects Windows Portable Executable (PE) files. The virus resides in memory and attempts to infect any files that are opened by the user or by programs.

NOTE: If you are using Windows 2000/XP, the virus might replicate, but the payload will not be activated.

The virus also modifies the Kernel32.dll file so that it cannot be repaired. In addition, this virus may corrupt some PE files; if this happens, they must be replaced.

The W32.Kriz virus also contains a payload that is executed on December 25 of any year.

The first time the virus is executed on a computer, it creates an infected copy of Kernel32.dll in the \Windows\System folder. The file is named Krized.tt6. This file should be deleted if found.

The next time Windows is started, this file is copied over the original Kernel32.dll. The virus infects other files when certain Windows API functions are called by a program.

There are variants of this virus. Some of the differences between variants pertain to the payload. The 3863 variant accesses more types of drives when overwriting files. Other differences include the method of infection. The 3740 variant creates a new section named "…" and copies its viral code to that newly created section. The 3863 variant simply appends its code to the end of the last section.

Currently, only the 3863 variant has been found in the wild. There is a 3863.b version of this virus. It is the same as the 3863 variant except that some of the unused text at the end of the virus has been corrupted.

Payload
If the system date is December 25, then the virus will attempt to flash the BIOS of the computer. This will prevent the computer from starting and may require a change of hardware. Information stored in the CMOS will be cleared, so the date, time, hard drive and floppy drive settings, peripheral configuration, and so forth will need to be restored. The virus also begins overwriting files on all available drives. This includes mapped network drives, floppy disks, and RAM disks. This payload is very similar to W95.CIH.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Eric Chien

Discovered: August 11, 1999
Updated: February 13, 2007 11:34:21 AM
Type: Virus
Systems Affected: Windows


If you have a computer that is infected with W32.Kriz, Symantec Security Response has developed a free tool to detect and remove this virus. The tool will not repair damage done by the virus once it has been activated on December 25. To run a Web-based scanner to detect the virus, and to download the tool, click here.

NOTE: If you are using Windows 2000/XP, the virus might replicate, but the payload will not be activated. To remove W32.Kriz under these operating systems, use the removal tool .


Manual removal instructions
If you cannot obtain the tool, or if you prefer to manually repair the damage done by this virus, you must do the following:

  • Obtain the most recent virus definitions.
  • Restart the computer to Command Prompt Only.
  • Run the Norton AntiVirus DOS scanner.
  • Extract a new copy of the Kernel32.dll file.

The details of each step follows.

NOTE: This will remove the virus and replace the copy of Kernel32.dll. It will not, of course, replace files that have been overwritten by the virus if it activates on December 25. In that situation, the overwritten files will have to be replaced from a recent backup.

To obtain the most recent virus definitions:
Make sure that you have the most recent virus definitions by running LiveUpdate or downloading the definitions. See one of the following documents: To restart the computer to Command Prompt Only:
  • Windows 95
    1. Exit all programs.
    2. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
    3. Click Shut Down, and then click OK.
    4. Click Yes to confirm the shutdown.
    5. Turn off the computer (if necessary) and wait 30 seconds.

      NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
    6. Turn on the computer.
    7. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
    8. Press the number that corresponds to Command Prompt Only, and then press Enter. The computer will start to a command prompt.
  • Windows 98
    1. Click Start, and click Run.
    2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
    3. Click Advanced on the General tab.
    4. Check Enable Startup Menu, click OK, and then click OK again.
    5. Exit all programs.
    6. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
    7. Click Shut Down, and then click OK.
    8. Click Yes to confirm the shut down.
    9. Turn off the computer and wait 30 seconds.

      NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
    10. Turn on the computer, and wait for the Windows 98 Startup menu.
    11. Press the number that corresponds to Command Prompt Only, and then press Enter. The computer will start to a command prompt.
      NOTE: (For Windows 98 users only) When you have finished removing the virus, you can disable the Startup menu if desired. To do so, return to this section, and follow these steps:
      1. Click Start, and click Run.
      2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
      3. Click the General tab, and then click Advanced.
      4. Uncheck Enable Startup Menu, click OK, and then click OK again.
      5. Restart the computer.
To run the Norton AntiVirus DOS scanner:
  1. At the C:\> prompt, type the following command, and then press Enter:

    dir /s /b \navdx.exe

    This displays the path to the Norton AntiVirus DOS scanner. If NAV is installed to a different drive, then change to the root of that drive first. The default is C:\Program Files\Norton AntiVirus.
  2. Change to the folder that contains Navdx.exe. You must use short file names. For example, if NAV is installed to C:\Program Files\Norton AntiVirus, then type the following:

    cd program~1\norton~1
  3. Type one of the following commands.

    CAUTION: This could take several hours or more on some computers. Do not attempt to stop the scan once it has started.

    NOTE: The DOS-based scanner can perform one of the following actions when it detects a virus:
    • To be prompted for any file that is detected as infected, type the following:

      navdx /a /doallfiles /prompt [Enter]

      You must press R)epair, D)elete or C)ontinue for each infected file. If you choose this option and NAV cannot repair an infected file, then you will see the message "Unable to repair the file," followed by the same three choices. In most cases you should then choose D)elete, unless you are sure that the file is not actually infected.
    • To delete any file that is detected as infected, type the following:

      navdx /a /doallfiles /delete [Enter]

      The disadvantage of this is that files that could be repaired will be deleted.
    • To repair any file that is detected as infected, type the following:

      navdx /a /doallfiles /repair [Enter]

      CAUTION: If NAV cannot repair a file and you choose this option, the file will be skipped. This means that infected files will still be on your system. If you choose this option, then you must run Navdx again, this time using the /delete switch, as shown in the previous example.
  4. When the scan has finished, proceed to the next section.

To extract a new copy of the Kernel32.dll file:
This is necessary because this file is critical to using your computer and has very likely been infected by the virus. You must use the Extract command at a DOS prompt to restore a good copy of this file from the Windows installation files.

There are two locations from which these files can be extracted:
  • The Windows installation files on your hard disk. On many newer computers, the .cab files that contain the Windows installation files are stored on the computer's hard disk. If you are sure that this is the case, then see the section To extract files from the hard disk.
  • The Microsoft Windows 95/98 installation CD. If the .cab files do not exist on the hard disk, then see the section To extract files from the installation CD.
NOTE : These instructions are provided for your convenience. The extraction of Windows files uses Microsoft programs and commands. Symantec does not provide warranty support for or assistance with Microsoft products.

To extract files from the hard disk:
  1. Type dir /s /b \Win98_31.cab and then press Enter. This displays the path to the Win98_31.cab file. If the file is not found, then it is likely that the .cab files are not on the hard disk. In that case, skip to the section To extract files from the installation CD.
  2. Change to the folder that contains the Win98_31.cab file.
  3. What you do next depends on which version of Windows you are running:

    NOTES:
      • If you see a message like "File not found" after entering any of the commands, verify that it was typed exactly as shown.
      • If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and press Enter.
      • If Windows is installed in a different location, then substitute the appropriate path.
    • If you are running Windows 98, type the following command:

      extract /a win98_31.cab kernel32.dll /L c:\windows\system [Enter]
    • If you are using Windows 95, then type the following command:

      extract /a win95_02.cab kernel32.dll /L c:\windows\system [Enter]

      If you do not see any error messages, then you are finished with the extraction process.
  4. Restart the computer, allow Windows to start, and then run a full system scan.

To extract files from the installation CD:

NOTES:
  • The instructions that follow are for the most widely distributed CD versions of Windows 95/98. There are, however, numerous versions, some of which were distributed on floppy disks. Each version may have the .cab files in a different location, or may have the necessary files in a different .cab file. It is beyond the scope of this document to include instructions for every version.
  • If you do not have the Windows installation CD for which the following commands were written, then you may need to change the command to the correct path for your version. You will also have to locate the .cab file that contains the file that you need to extract. For additional information, see the document Which cabinet files contain the original Windows files?
  1. Insert the Windows 98 Startup disk into the floppy disk drive.
  2. Insert the Windows 98 installation CD into the CD-ROM drive.
  3. Turn off the computer, and then wait thirty seconds. You must turn the power off; do not simply press the reset button.
  4. Turn on the computer. The computer boots to a startup menu.
  5. The default menu item is Start Computer with CD-ROM Support. Do not change this, but instead press Enter.
  6. Allow the computer to finish booting to an A:\> prompt. This could take a few minutes.
  7. The next step is to switch to the CD-ROM drive. Because you are using the Startup disk, the drive letter will be one letter greater than the drive letter that usually represents the CD-ROM drive. For example, if the CD-ROM drive is drive D in Windows, then it will be the E drive.

    Type the following, changing the drive letter as necessary, and then press Enter:

    e:\win9x (If the installation disk is for Window Me)

    or

    e:\win98 (If the installation disk is for Windows 98)

    or

    e:\win95 (If the installation disk is for Windows 95)

    If you see an error message, then try retyping the command with a different drive letter (for example, f:\win98)
  8. What you do next depends on which version of Windows you are running:

    NOTES:
      • If you see a message like "File not found" after entering any of the commands, then verify that you typed it exactly as shown.
      • If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
      • If Windows is installed in a different location, then substitute the appropriate path.
    • If you are running Windows Me, then type the following command and press Enter:

      extract /a win_10.cab kernel32.dll /L c:\windows\system
    • If you are running Windows 98, then type the following command and press Enter:

      extract /a win98_31.cab kernel32.dll /L c:\windows\system [Enter]
    • If you are using Windows 95, then type the following commands, and press Enter:

      extract /a win95_02.cab kernel32.dll /L c:\windows\system

      If you do not see any error messages, then you are finished with the extraction process.
  9. Restart the computer, allow Windows to start, and then run a full system scan.


Writeup By: Eric Chien