Buy Command AntiVirus online
Aliases: Kriz, Christmas Virus
W95/Kriz.3683 is a memory resident polymorphic virus that infects portable executables (including Windows .SCR, .EXE, and .DLL files). Windows 95/98 and Windows NT systems are affected. When first executed, the virus replaces the read-only KERNEL32.DLL with its own, infected copy of the file. It does this by copying the original KERNEL32.DLL to WINDOWS\SYSTEM\KRIZED.TT6. The virus infects this copy and creates the WININIT.INI file with instructions to rename KRIZED.TT6 to KERNEL32.DLL on the next startup. Once this has been accomplished, the now infected KERNEL32.DLL allows the virus to remain in memory throughout the Windows session. The virus then intercepts file accesses including opens, copies, moves, and attribute changes, and infects the portable executables.
If any infected files are accessed on December 25th, the malicious payload is activated. CMOS memory is cleared, the drive sectors are erased, data is overwritten - including mapped network and floppy drives, and the Flash BIOS is attacked using methods similar to the CIH virus. Not all BIOSes are affected. If the virus is successful, the computer cannot be booted from either the hard drive or the floppy.