Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Kriz.4029

Aliases: W32.Kriz, Win32.Kriz.4029, W95.Kriz.4029

Win32/Kriz.4029 is a polymorphic, memory resident virus attacking executable programs of the format Portable Executable with extensions EXE and SCR. The virus attacks the file KERNEL32.DLL containing the core of the operating system Microsoft Windows.
The virus attacks files by attaching its code to the last section of a PE file. When infecting the file KERNEL32.DLL the virus uses a different method because this file is accessible only for reading. The virus copies it into the file KRIZED.TT6 and attacks this file. When infecting it the virus redirects exports of some system functions to its code and in this way takes over control of them. By means of manipulating the file WININIT.INI the virus achieves that at the next loading of the system the file KRIZED.TT6 will be renamed to KERNEL32.DLL. The file WININIT.INI contains the following text:

[rename]
C:\WINDOWS\SYSTEM\KERNEL32.DLL=C:\WINDOWS\SYSTEM\KRIZED.TT6

To achieve its loading into memory on computers that have been switched on for more than three days the virus produces the system restart.
When infecting programs the virus avoids the following files: _AVP32.EXE, _AVPCC.EXE, _AVPM.EXE, ALERTSVC.EXE, AMON.EXE, AVP32.EXE, AVPCC.EXE, AVPM.EXE, N32SCANW.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVLU32.EXE, NAVRUNR.EXE, NAVW32.EXE, NAVWNT.EXE, NOD32.EXE, NPSSVC.EXE, NRESQ32.EXE, NSCHED32.EXE, NSCHEDNT.EXE, NSPLUGIN.EXE, SCAN.EXE and SMSS.EXE. These files are in most cases a part of well known anti-virus programs.
The virus contains a dangerous activating routine. The routine is started on December 25th or in case that debugger Softice is detected in memory. As the result of the routine activation contents of all files on all accessible local and network drives as well as contents of the CMOS memory are overwritten. The virus also attempts to overwrite the contents of BIOS of the computer.
After decrypting the virus body the following text in English is found at its end:

YOU CALL IT RELIGION, YOU'RE FULL OF SHIT
YOU NEVER KNEW, YOU NEVER DID, YOU NEVER WILL
YOU'RE SO FULL OF SHIT, I DON'T WANT TO HEAR IT
ALL YOU DO IS TALK ABOUT YOURSELF
I DON'T WANNA HEAR IT, COZ I KNOW NONE OF IT'S TRUE
I'M SICK AND TIRED OF ALL YOUR GODDAMN LIES
LIES IN THE NAME OF GOD
WHEN ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT?!
I KNOW YOU'RE SO FULL OF SHIT, SO SHUT YOUR FUCKING MOUTH
YOU KEEP ON TALKING, TALKING EVERYDAY
FIRST YOU'RE TELLING STORIES, THEN YOU'RE TELLING LIES
WHEN THE FUCK ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT!!
AH, SHUT THE FUCK UP...

The virus contains also the author’s signature:

T-2000 / Immortal Riot

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.