'

Dangerous Kriz virus spread by other worms

One of the most dangerous viruses is back in time for Christmas 2000, thanks in part to other worms that may have spread it throughout the year

Although the Kriz virus was first discovered in late 1999, it is believed to have infected files that other, more recent worms such as Bymer have spread across the Internet throughout the year. Therefore, several antivirus software companies are now warning users to scan their PCs in advance of its 25 December trigger date. Kriz (W32.Kriz) infects Windows 95, 98, NT and 2000 systems and carries a destructive payload similar to CIH such that Kriz will destroy files on floppy disks, hard drives, network drives, as well as the computer's BIOS. At present, Kriz ranks a 6 on the ZDNet virus meter. The Kriz virus arrives as an infected file, which may be a file copied from another computer on a network or from a floppy or sent as an attachment to an email. Kriz carries an infected copy of KERNEL32.DLL, which lives in the Windows/System folder. Kriz creates its own folder Windows/System/Krized.tt6, and adds a line to Winint.ini to look there for the infected copy of KERNEL32.DLL. The Kriz-infected copy of KERNEL32.DLL allows the virus the following functions: CopyFileA
CopyFileW
CreateFileA
CreateFileW
CreateProcessA CreateProcessW
DeleteFileA
DeleteFileW
GetFileAttributesA
GetFileAttributesW
MoveFileA
MoveFileW
MoveFileExA
MoveFileExW
SetFileAttributesA
SetFileAttributesW When Kriz is resident in memory, these functions allow any recently run executable file to become infected with Kriz. If an infected executable file is run on 25 December, Kriz will erase the computer's CMOS, which contains information such as date and time, and what type of hard disk the computer uses. It will also erase the contents of any floppy disks, hard drives, and networked drives. It will also attempt to flash the computer's BIOS with garbage. This only works on some BIOS. If it is successful, however, the computer will no longer boot and its motherboard will have to be replaced. Kriz has been around long enough that all the anti-virus software companies have detection and removal software available. For example, Symantec offers an online tool for users using Internet Explorer or Netscape. Here are the key steps for preventing Kriz: 1. Get protected. You may already be infected, so if you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these five-star programs then following the installation instructions. If you're on a network, check with your network administrator first. If you're not sure if your existing antivirus software is up-to-date, scan your system for free to find out. 2. Scan your system regularly. If you're just loading antivirus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the antivirus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses. 3. Update your antivirus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat. You can also download updates from ZDNet Updates.com. 4. Download Microsoft's Outlook Security Patch. If you haven't already installed it, download the Outlook 98 Security Patch or the Outlook 2000 Security Patch (which requires the Office 2000 Service Release 1a). Please note that this patch does not include Outlook Express. Click here for help with installation, or for more information regarding this patch. 5. Remember: "Don't open attachments!" One way to prevent virus infections is not to open attachments, especially when viruses such as Kriz are being actively circulated. Even if the email is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it. 6. Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking our Viruses, Bugs, Security Alerts page. Take me to the Virus Workshop Take me to ZDNet Enterprise Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum. Let the editors know what you think in the Mailroom. And read what others have said.