[20772] in APO-L
Re: virus warning
daemon@ATHENA.MIT.EDU (Paul Boal)
Fri Aug 20 09:34:48 1999
Date: Fri, 20 Aug 1999 08:21:13 -0500
Reply-To: pboal@braunconsult.com
From: Paul Boal <pboal@BRAUNCONSULT.COM>
To: APO-L@LISTSERV.IUPUI.EDU
In-Reply-To: <19990820.060930.-152275.0.costal2@juno.com>
Sorry, I'm not Ellen, but here's a nice reliable source for confirmation:
URL: http://vil.nai.com/vil/vpe10255.asp
<--- clip --->
Virus Name
W32/Kriz.3862
Date Added
8/16/99
Virus Characteristics
This is Windows 95/98 and NT virus that infects PE EXE files. It is also
polymorphic. When an infected file is executed, this virus will stay
resident in memory until the next time the system is rebooted. This virus
encrypts its code, leaving only a small random decryptor. This virus will
infect files as they are opened by any application while it is in memory.
This will occur when a user scans files as well.
The virus also has a payload which activates when an infected file is run on
December 25th. When it does it will attempt To erase the computer's CMOS
information, which contains information such as date and time, and the type
of hard disk the computer uses. This virus will also attempt to directly
erase disk sectors. It will attempt to flash the BIOS with garbage. This
only works on certain types of BIOSes. If this succeeds, the computer will
not boot. This is similar to the action taken by the CIH virus. If the virus
is successful the computer will not boot up, not even from a floppy disk. In
some cases the virus will corrupt the file it infects and cleaning may not
be possible.
This virus will infect kernel32.dll. When it does, it replaces the original
contents with it owns. Because of this the file can NOT be repaired, it must
be replaced.
This virus code also contains a poem that contains quite a bit of profanity.
It is never displayed, nor is it used in any of the routines it runs.
Indications Of Infection
Not Available...
Method Of Infection
When first run on a clean machine, the virus checks KERNEL32.DLL to see if
it is infected, if yes then the virus exits. If KERNEL32.DLL is not infected
then the virus copies KERNEL32.DLL to WINDOWS\SYSTEM\KRIZED.TT6 and then the
virus infects this local copy. The virus then creates the file
WINDOWS\WININIT.INI containing the lines :-
[rename]
C:\WINDOWS\SYSTEM\KERNEL32.DLL=C:\WINDOWS\SYSTEM\KRIZED.TT6
This causes windows to replace KERNEL32.DLL with the infected copy when the
system is next re-started.
In the infected copy of KERNEL32.DLL the virus hooks the following functions
:-
CopyFileA, CopyFileW, CreateFileA, CreateFileW, CreateProcessA,
CreateProcessW, DeleteFileA, DeleteFileW, GetFileAttributesA,
GetFileAttributesW, MoveFileA, MoveFileW, MoveFileExA, MoveFileExW,
SetFileAttributesA, SetFileAttributesW
This causes any PE executable file that is run, copied, moved or scanned to
be infected by the virus.
Removal
For VirusScan 4x users, update your DATS from here.
For AVTK 7.95 and above users, update your DRVS from here.
Detection and cleaning for this virus is not available in VirusScan 3,
please update to VirusScan 4 here.
Virus Information
Discovery Date: 8/16/99
Type: Win32
Risk Assessment: medium-AvertWatch List
Minimum DAT: 4039
Variants
Unknown
Aliases
Kriz
<--- end --->
-----------------------------------------
Paul Boal
Associate Consultant
Braun Consulting
(314) 209 - 5116
pboal@braunconsult.com
-----------------------------------------
> -----Original Message-----
> From: Alpha Phi Omega Discussion List
> [mailto:APO-L@LISTSERV.IUPUI.EDU]On Behalf Of Laura A Costa
> Sent: Friday, August 20, 1999 8:09 AM
> To: APO-L@LISTSERV.IUPUI.EDU
> Subject: Re: virus warning
>
>
> On Thu, 19 Aug 1999 19:13:22 -0700 Derek Cashman <cashman@YAHOO.COM>
> writes:
> > folks, I'm afraid this one's for real. the following
> > virus information and alert was posted on Network
> > Associates' Web Site earlier this week.
> >
> List moderators: is he correct? Or is this yet *another* hoax?
>
> > maybe i'm missing something...is this virus spread through email?
> No virus is ever spread by a person just opening an email. Now, if
> there's an attachment and you open the attachment, then that's where
> viruses like to hide. But, as I said above, I'd like to see
> confirmation
> from a list moderator before I believe this is a true virus,
> as opposed
> to a hoax. I wish the rest of the list members would let the
> moderators
> tell us about viruses. It would make me less skeptical.
>
> Laura
>
