[20768] in APO-L
virus warning
daemon@ATHENA.MIT.EDU (Derek Cashman)
Thu Aug 19 22:13:21 1999
Date: Thu, 19 Aug 1999 19:13:22 -0700
Reply-To: Derek Cashman <cashman@YAHOO.COM>
From: Derek Cashman <cashman@YAHOO.COM>
To: APO-L@LISTSERV.IUPUI.EDU
folks, I'm afraid this one's for real. the following
virus information and alert was posted on Network
Associates' Web Site earlier this week.
Virus Name: W32/Kriz.3862
Date Added: 8/16/99
Type: Win32
Risk Assessment: medium-AvertWatch List
Minimum DAT: 4039
Variants: Unknown
Aliases: Kriz
Virus Characteristics:
This is Windows 95/98 and NT virus that infects PE EXE
files. It is also polymorphic. When an infected file
is executed, this virus will stay resident in memory
until the next time the system is rebooted. This virus
encrypts its code, leaving only a small random
decryptor. This virus will infect files as they are
opened by any application while it is in memory. This
will occur when a user scans files as well.
The virus also has a payload which activates when an
infected file is run on December 25th. When it does it
will attempt To erase the computer's CMOS information,
which contains information such as date and time, and
the type of hard disk the computer uses. This virus
will also attempt to directly erase disk sectors. It
will attempt to flash the BIOS with garbage. This only
works on certain types of BIOSes. If this succeeds,
the computer will not boot. This is similar to the
action taken by the CIH virus. If the virus is
successful the
computer will not boot up, not even from a floppy
disk. In some cases the virus will corrupt the file it
infects and cleaning may not be possible.
This virus will infect kernel32.dll. When it does, it
replaces the original contents with it owns. Because
of this the file can NOT be repaired, it must be
replaced.
This virus code also contains a poem that contains
quite a bit of profanity. It is never displayed, nor
is it used in any of the routines it runs.
Indications Of Infection: Not Available...
Method Of Infection:
When first run on a clean machine, the virus checks
KERNEL32.DLL to see if it is infected, if yes then the
virus exits. If KERNEL32.DLL is not infected then the
virus copies KERNEL32.DLL to WINDOWS\SYSTEM\KRIZED.TT6
and then the virus infects this local copy. The virus
then creates the file WINDOWS\WININIT.INI containing
the lines :-
[rename]
C:\WINDOWS\SYSTEM\KERNEL32.DLL=C:\WINDOWS\SYSTEM\KRIZED.TT6
This causes windows to replace KERNEL32.DLL with the
infected copy when the system is next re-started.
In the infected copy of KERNEL32.DLL the virus hooks
the following functions :-
CopyFileA, CopyFileW, CreateFileA, CreateFileW,
CreateProcessA, CreateProcessW, DeleteFileA,
DeleteFileW, GetFileAttributesA, GetFileAttributesW,
MoveFileA, MoveFileW, MoveFileExA, MoveFileExW,
SetFileAttributesA, SetFileAttributesW
This causes any PE executable file that is run,
copied, moved or scanned to be infected by the virus.
Removal:
For VirusScan 4x users, update your DATS from here:
http://www.nai.com/asp_set/download/dats/mcafee_4x.asp
For AVTK 7.95 and above users, update your DRVS from
here:
http://vil.nai.com/drivers/kriz-795.zip
Detection and cleaning for this virus is not available
in VirusScan 3, please update to VirusScan 4 here.
===
_________________________________________________________
Derek Cashman (cashman@yahoo.com)
Graduate Student, Medicinal Chemistry
MCV / VCU
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com
