Home Schools Links Virus List Add a School Change a Link Dead Link
Link to us Financial Aid Free E-mail Guestbook Cool Links Tell A Friend
NextCard Visa If your School has a Schools Alumni Page let us know Solve your computer needs at eBay


W32/Kriz.3862
Virus Characteristics

 
Tell A Friend
about this
Page
Tell me when
this page
is updated
Link to us
Our Sponsor

This is Windows 95/98 and NT virus that infects PE EXE files. It is also polymorphic. When an infected file is executed, this virus will stay resident in memory until the next time the system is ebooted. This virus encrypts its code, leaving only a small random decryptor. This virus will infect files as they are opened by any application while it is in memory. This will occur when a user scans files as well.

The virus also has a payload which activates when an infected file is run on December 25th. When it does it will attempt To erase the computer's CMOS information, which contains information such as date and time, and the type of hard disk the computer uses. This virus will also attempt to directly erase disk sectors. It will attempt to flash the BIOS with garbage. This only works on certain types of BIOSes. If this succeeds, the computer will not boot. This is similar to the action taken by the CIH virus. If the virus is successful the computer will not boot up, not even from a floppy disk. In some cases the virus will corrupt the file it infects and cleaning may not be possible.

This virus will infect kernel32.dll. When it does, it replaces the original contents with it owns. Because of this the file can NOT be repaired, it must be replaced.

This virus code also contains a poem that contains quite a bit of profanity. It is never displayed, nor is it used in any of the routines it runs.

Indications Of Infection

Not Available...

Method Of Infection

When first run on a clean machine, the virus checks KERNEL32.DLL to see if it is infected, if yes then the virus exits. If KERNEL32.DLL is not infected then the virus copies KERNEL32.DLL to WINDOWS\SYSTEM\KRIZED.TT6 and then the virus infects this local copy.

The virus then creates the file WINDOWS\WININIT.INI containing the lines :-

[rename]
C:\WINDOWS\SYSTEM\KERNEL32.DLL=C:\ WINDOWS\SYSTEM\KRIZED.TT6
This causes windows to replace KERNEL32.DLL with the infected copy when the system is next re-started.

In the infected copy of KERNEL32.DLL the virus hooks the following functions :-

CopyFileA, CopyFileW, CreateFileA, CreateFileW, CreateProcessA,
CreateProcessW, DeleteFileA, DeleteFileW, GetFileAttributesA,
GetFileAttributesW, MoveFileA, MoveFileW, MoveFileExA, MoveFileExW, SetFileAttributesA, SetFileAttributesW

This causes any PE executable file that is run, copied, moved or scanned to be infected by the virus.

 


 

[an error occurred while processing this directive]

Gator fills out forms and remembers passwords!


Howdy!!!
Welcome to the McCann's PooR Farm
I'm not with any school or schools,
Just a disable grandpa with 17 grand kids, 1 Great grand Kid
 
Sorry! about all of the adds, Our Cost just keeping going up.
Please click on one of them and help us out. or
Send $1.00 U.S. to:
McCann's Poor Farm
20509 Lawrence 2207
Aurora, Mo. 65605-7275
Thank You,
Junior McCann
Webmaster
and the GrandKids
 
See what the experts have to say about the McCann's Poor Farm Web Page
 
Legal Disclaimer - We Are in no way connected with any School and or Companies linked to this page. Links are provided as a courtesy only.

Where Visitors Come From:

Argentina, Australia, Austria, Belarus, Belgium, Bermuda, Brazil, Brunei Darussalam, Bulgaria, Canada, Chile, Columbia, Costa Rica, Croatia, Croatia/Hrvatska, Czech Republic, Denmark, Dominican Republic, Ecuador, Egypt, Estonia, Finland, France, Germany, Ghana, Greece, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Jordan, Korea, Korea, Republic of, Latvia, Lebanon, Lithuania, Luxembourg, Macedonia, Malaysia, Mexico, Moldova, Netherlands, New Calendonia, New Zealand, Norway, Old style Arpanet, Papua New Guinea, Peru, Philippines, Poland, Portugal, Romania, Russian Federation, Saudi Arabia, Singapore, Slovakia, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uruguay, USA Government, USA Military, Viet Nam
Tell A Friend
about this Page
Tell me when this page
is updated

Click Here!


Home Schools Links Virus List Add a School Change a Link Dead Link
Scholarships Financial Aid Free E-mail Guestbook Cool Links Tell A Friend
Put a Link on your Web Page

- Legal Disclaimer -
This Website Is For Your Entertainment Purposes Only!
We Are in no way connected with
any School and or Companies linked to this page.
Links are provided as a courtesy only.
 
http://www.poor-farm.com/
webmaster@poor-farm.com
McCann's PooR Farm
Aurora, Mo. 65605
© 2001