| Kriz | |
|---|---|
| Type | File virus |
| Creator | T2/Immortal Riot |
| Date Discovered | 1999.08.11 |
| Place of Origin | Netherlands |
| Source Language | Assembly |
| Platform | DOS |
| File Type(s) | .exe, .scr, .dll* |
| Infection Length | 4,029 bytes |
| Reported Costs | |
Kriz is a Windows virus from 1999. It has a dangerous payload, quite similar to Magistr and CIH that can destroy hardware. The virus was released in late summer of 1999, but did not make any of the charts until over a year later.
Behavior
When a file infected with Kriz is executed, the virus is decrypted and becomes memory resident. It tries to infect any Windows Portable Executable files that are opened. Some PE files may be corrupted during infection.
Kriz also modifies Kernel32.dll in such a way that it can't be repaired. This file is very difficult to infect because of its read-only setting, but Kriz uses a relatively common trick to get around this. It makes a copy of Kernel32.dll in the system folder named KRIZED.TT6 and infects that. It will calculate the original's checksum so it doesn't generate execution problems with Windows NT. It creates the file WININIT.INI in the Windows folder that contains the line:
C:\WINDOWS\SYSTEM\KERNEL32.DLL=C:\WINDOWS\SYSTEM\KRIZED.TT6This ensures the KRIZED.TT6 file overwrites Kernel32.dll when the computer is restarted.
On December 25, the virus executes its payload. The virus overwrites files on all available drives, including floppies, network drives and RAM disks. It also attempts to flash the BIOS, which will prevent the computer from starting. It clears the CMOS date, time, drive settings and peripheral configuration.
Variants
Kriz has over 10 variants. Notable ones include Kriz.3740 and Kriz.3863. The original contained some bugs, which the coder fixed in subsequent versions after they were discovered.
Kriz.3740
Kriz.3740 creates a section named "…" and places its code in there. Most other variants simply append their code to the last section.
Kriz.3863
Kriz.3863 accesses more disks when overwriting files. There is one subvariant with unused text at the end that is corrupted. It is the only variant found in the wild.
Effects
In late 2001, Kriz was accidentally released on the Atelier Marie video game for the Sega Dreamcast. The Sircam worm became infected with Kriz, allowing it to piggyback on worm. Sircam also carried the Funlove virus. Kriz was number 5 on Trend Micro's top 10 list in October of 2000.
Other Facts
"Krized" is pronounced like "Christ".
In some Slavic languages, the word Kriz, often with diacritic marks, means "Cross". Križ is village in Croatia and Kříž is a Czech family name.
Sources
T2/Immortal Riot. 29A Magazine, Win32.Kriz source code.
Eric Chien. Symantec.com, W32.Kriz. 2007.02.13
Symantec Press Release, Symantec Provides Tool to Detect and Remove Destructive W32.Kriz Virus. 2000.12.19
Attrition.org, Certified Pre-0wned.
ITAvisen, Come-back for gamle virus. 2000.10.19
John Leyden. The Register, SirCam worm enjoys virus gang bang. 2001.08.02