It is sent as .EXE file, spreads on Windows 32-bit systems and infects .EXE files. It also changes the area of the Windows commands .
W32.Kriz is sent as .EXE file, spreads itself on Windows 32-bit systems and infects .EXE files. It also changes the area of Windows commands. The worm also infects KERNEL32.DLL, to become a memory resident virus.
When infecting an .exe file, the virus adds its code at the end of the file. For detecting the virus, you only have to scan for '666' string, which appears in the code. The virus does not infect all .exe files and programs. It does not affect the following files:
ALERTSVC.EXE AVPM.EXE AMON.EXE AVP32.EXE N32SCANW.EXE NAVAPSVC.EXE NOD32.EXE NAVAPW32.EXE NAVWNT.EXE NAVLU32.EXE NAVRUNR.EXE NPSSVC.EXE NSCHEDNT.EXE SCAN.EXE SMSS.EXE _AVP32.EXE _AVPM.EXE NSPLUGIN.EXE
For infecting KERNELL32.DLL, the virus saves this file as KRIZED.TT6 and then changes it. By the next system start, the file KERNEL32.DLL is replaced with KRIZED.TT6, thanks to an entry made in WININIT.INI.
The virus changes the area of Windows commands, so that these are included in the virus program code. Thus, the virus modifies 16 KERNEL32 functions.
The virus has an additional damage routine in its code: on December, 25th, the CMOS memory crashes, all BIOS files are overwritten and Flash BIOS is crashed using the same routine as CIH virus.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二