| Description:
|
Details
Win32.Kriz
This is a memory resident polymorphic Windows virus that replicates under the Windows32 systems, and infects PE EXE files (Windows executable) with EXE and SCR filename extensions, as well as Windows KERNEL32.DLL system library that allows the virus to stay memory resident during the entire Windows session. The virus, in an infected KERNEL32.DLL, hooks file-access functions, intercepts file copying, opening, moving, etc., and infects accessed files. The virus checks file names, and does not infect several anti-virus program files:
_AVP32.EXE, _AVPM.EXE, ALERTSVC.EXE, AMON.EXE, AVP32.EXE, AVPM.EXE, N32SCANW.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVLU32.EXE, NAVRUNR.EXE, NAVWNT.EXE, NOD32.EXE, NPSSVC.EXE, NSCHEDNT.EXE, NSPLUGIN.EXE, SCAN.EXE, SMSS.EXE
The virus has an extremely dangerous payload that is activated on December 25th. On this day, upon infecting any file (i.e. when they are accessed by any of the Windows functions listed below), the virus kills the CMOS memory, overwrites data in all files on all available drives, and then destroys the Flash BIOS by using the same routine that was found in the "Win95_CIH" virus (a.k.a. Chernobyl).
When an infected file is run, the virus polymorphic decryption loop takes control, and restores the virus code back to the original form. The virus then scans the Windows32 kernel, obtains addresses of necessary Windows functions and calls the KERNEL32 infection routine.
While infecting a file, the virus, depending on its version, either writes itself to the end of last file section and increases its size, or creates a new file section at the end of the file, and encrypts and writes its code there. The virus section in this case has the "all" name.
To separate infected and uninfected files, the virus writes the "666" ID string to the PE file header reserved field.
While infecting the KERNEL32.DLL module, the virus also patches its Export table (exported functions), and modifies several function addresses so that upon the next Windows startup, calls to the KERNEL32 function will be filtered by virus hookers. This allows the virus to monitor file access calls.
The virus hooks 16 KERNEL32 functions - file opening, copying, deleting, reading/writing file attributes, creating a new process. The complete list of hooked functions appears as follows:
CopyFileA CopyFileW
CreateFileA CreateFileW
DeleteFileA DeleteFileW
MoveFileA MoveFileExA MoveFileW MoveFileExW
GetFileAttributesA SetFileAttributesW
SetFileAttributesA SetFileAttributesExA
CreateProcessA CreateProcessW
To infect the KERNEL32.DLL file that can be opened in the read-only mode exclusively, the virus uses a standard trick; it copies this file with a temporary name (this copy has the KRIZED.TT6 name, and it is created in the Windows system directory), infects it and writes a "rename" instruction to the WININIT.INI file. This trick allows the virus to infect the KERNEL32.DLL copy and force Windows to replace the original KERNEL32.DLL with the infected copy upon the next startup.
The virus contains the "copyright" text string:
=( [c] 1999 [t] )=
as well as the text strings that are likely to be a message, but are not used in any way:
YOU CALL IT RELIGION, YOU'RE FULL OF SHIT
YOU NEVER KNEW, YOU NEVER DID, YOU NEVER WILL
YOU'RE SO FULL OF SHIT, I DON'T WANT TO HEAR IT
ALL YOU DO IS TALK ABOUT YOURSELF
I DON'T WANNA HEAR IT, COZ I KNOW NONE OF IT'S TRUE
I'M SICK AND TIRED OF ALL YOUR GODDAMN LIES
LIES IN THE NAME OF GOD
WHEN ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT?!
I KNOW YOU'RE SO FULL OF SHIT, SO SHUT YOUR FUCKING MOUTH
YOU KEEP ON TALKING, TALKING EVERYDAY
FIRST YOU'RE TELLING STORIES, THEN YOU'RE TELLING LIES
WHEN THE FUCK ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT!!
AH, SHUT THE FUCK UP...
Kriz.3863
This virus version is very closed to the original, and differs only in additional programming tricks and a different "copyright" text string:
(c) T2 & Immortal Riot
and also an improved disk erasing routine: in addition to erasing CMOS, Flash and files on logical drives, this virus enumerates all available network drives, and erases all files on them. While erasing files, the virus truncates them, and overwrites with the "DEAD BEEF" hexadecimal string (DEADBEEFh).
Kriz.4029
This virus version is very closed to aforementioned one ("Kriz.3836"). The differences are: some routines have been "improved"; the destruction routine is also activated in the instance the SoftIce debugger is installed in the system; and the "copyright" text also has changed:
T-2000 / Immortal Riot |
