This virus contains a dangerous hard drive and CMOS overwriting procedure which can activate on December 25. The following user types are at risk:

Anyone who:
Does not run Antivirus software
Runs Antivirus software but has not updated both the engine and DAT files to current versions
Runs Antivirus software but does not use the on-access / real-time scanner

This is Windows 95/98 and NT virus that infects PE EXE files. It is also polymorphic. When an infected file is executed, this virus will stay resident in memory until the next time the system is rebooted. This virus encrypts its code, leaving only a small random decryptor. This virus will infect files as they are opened by any application while it is in memory. This will occur when a user scans files as well.

The virus also has a payload which activates when an infected file is run on December 25th. When it does it will attempt To erase the computer's CMOS information, which contains information such as date and time, and the type of hard disk the computer uses. This virus will also attempt to directly erase disk sectors. It will attempt to flash the BIOS with garbage. This only works on certain types of BIOSes. If this succeeds, the computer will not boot. This is similar to the action taken by the CIH virus. If the virus is successful the computer will not boot up, not even from a floppy disk. In some cases the virus will corrupt the file it infects and cleaning may not be possible.

This virus will infect kernel32.dll. When it does, it replaces the
original contents with its own. Because of this the file can NOT be repaired, it must be replaced.

This virus code also contains a poem that contains quite a bit of profanity. It is never displayed, nor is it used in any of the routines it runs.

Indications Of Infection Existence of file KRIZED.TT6 after executing infected file on a non-infected system.

Method Of Infection When first run on a clean machine, the virus checks KERNEL32.DLL to see if it is infected, if yes then the virus exits. If KERNEL32.DLL is not infected then the virus copies KERNEL32.DLL to WINDOWS\SYSTEM\KRIZED.TT6 and then the virus infects this local copy. The virus then creates the file WINDOWS\WININIT.INI containing the lines :

[rename]
C:\WINDOWS\SYSTEM\KERNEL32.DLL=
C:\WINDOWS\SYSTEM\KRIZED.TT6

This causes windows to replace KERNEL32.DLL with the infected copy when the system is next re-started.

In the infected copy of KERNEL32.DLL the virus hooks the following functions :

CopyFileA, CopyFileW, CreateFileA, CreateFileW, CreateProcessA, CreateProcessW, DeleteFileA, DeleteFileW, GetFileAttributesA, GetFileAttributesW, MoveFileA, MoveFileW, MoveFileExA, MoveFileExW, SetFileAttributesA, SetFileAttributesW

This causes any PE executable file that is run, copied, moved or scanned to be infected by the virus.

Removal Instructions Script,Batch,Macro and non memory-resident: Use specified engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident: Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as:

SCANPM C: /CLEAN /ALL

Recommended Updates:

* scriptlet.typelib/Eyedog vulnerability patch

* Malformed E-mail MIME Header vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link. Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Virus Information Discovery Date:8/16/99 Type:Virus SubType: Win32