Symantec, a worldwide leader in Internet security, has warned computer users and companies of the potential threat to data and systems being posed by a virus mutation that combines the destructive payload of the W32.Kriz virus with the highly infectious W32.hllw.bymer.worm.
Neither Kriz nor bymer are new threats; protection has been available from Symantec since August 1999 and October 2000 respectively. It is the characteristics of the hybrid virus that are causing concern. Left unchecked, the hybrid virus will wipe out hard drives and attempt to flash the BIOS on its trigger date - Christmas Day - leaving systems inoperable.
Andre Post, a researcher at the European Symantec AntiVirus Research Centre (SARC) in The Netherlands, explains: "A hybrid can be created when a virus attacks a computer that is already infected with another virus or worm. The result is usually a combination of the worst characteristics of the 'parents.' On its own, Kriz is a slow-spreading but highly destructive virus with a payload similar to the CIH virus, and bymer is a benign worm that spreads rapidly. Added together, we have a new threat which is highly destructive and very infectious."
To combat the threat, Symantec is advising users of its Norton AntiVirus solution to download latest virus definitions via LiveUpdate or from www.symantec.com/avcenter/download.html and ensure the product's AutoProtect feature is enabled. For everyone else, a free detection and repair tool is available from www.symantec.com/avcenter. The tool is a standalone executable that does not require Norton AntiVirus to be installed. It will search for Kriz and bymer infections in memory and on the hard disk and deal with them.
Earlier this year, Symantec reported a hybrid of bymer with the Funlove virus. An increase in submissions of Kriz in October, November and December numbering more than 100 a month made SARC researchers suspect a new hybrid. According to Post, consumers and small businesses are most likely to suffer. "Recent outbreaks like Melissa and LoveLetter have made larger companies more vigilant to the security threat and many have strengthened their Internet security defenses. Unless they take action, consumers, especially less experienced computer users, or anyone who fails to update their virus definition sets, could have a nasty Christmas surprise."
Share
W32.Kriz Virus Characteristics
W32.Kriz is a Windows 9x/NT virus, which infects Portable Executable (PE) Windows files. The virus goes resident into memory, attempting to infect any files that are opened by the user or applications. Additionally, the virus modifies the KERNEL32.DLL file, a critical operating system file that enables the virus to spread throughout the system, and attempts to corrupt some PE files, requiring them to be replaced by known, clean backups or from the installation package.
Payload On December 25th, the virus will attempt to flash the BIOS of the computer, preventing the computer from booting up properly and in most cases, requiring the user to replace the hardware. The virus will also begin overwriting files on all available drives including mapped network drives, floppy drives and RAM disks. The payload is very similar to W95.CIH virus.
Symantec AntiVirus Research Center
SARC is one of the industry's largest dedicated team of virus experts. With offices located in the United States, Japan, Australia, and the Netherlands, the sun never sets on SARC. The center's mission is to provide swift, global responses to computer virus threats, proactively research and develop technologies that eliminate such threats, and educate the public on safe computing practices. As new computer viruses appear, SARC develops identification and detection for these viruses, and provides either a repair or delete operation, thus keeping users protected against the latest virus threats.
Symantec
Symantec, a world leader in Internet security technology, provides a broad range of content and network security solutions to individuals and enterprises. The company is a leading provider of virus protection, risk management, Internet content and e-mail filtering, remote management and mobile code detection technologies to customers. Headquartered in Cupertino, Calif., Symantec has worldwide operations in more than 33 countries.