Kriz virus waiting for holiday strike

A damaging virus that has been in the wild since 1999, called Kriz, has been patiently lurking in networks for more than a year, waiting for its big day, say anti-virus software vendors. Like Santa Claus himself, Kriz made preparations throughout the year – changing its name and forms of transmission – in order to make a grand run on Dec. 25, when the malicious code is programmed to attack.

Although W32.Kriz has a storied past, its real threat will arrive Christmas Eve, according to a number of anti-virus vendors that issued warnings on Kriz throughout Wednesday. Like many viruses, Kriz goes into a user’s computer and tries to infect executable or .EXE files. Unlike most viruses, however, Kriz waits until Christmas Day to launch its troublesome payload.

“It essentially sleeps 364 days out of the year and then wakes up on Christmas Day trying to destroy your systems,” said Patrick Martin, product manager at Symantec Corp.’s anti-virus research centre. “It can affect a machine any day of the year, and you are not going to notice a problem. You won’t know you are infected until Christmas.”

Kriz first appeared in August 1999. The program remained dormant until it made a charge on a number of users on Dec. 25 of last year, prompting many anti-virus vendors to believe users would update their virus protection between then and now. Martin, however, says that is simply not the case.

Both Symantec and McAfee – a division of Network Associates Inc. – wanted to send out a holiday warning to protect their clients from Kriz. Because the virus has been around for some time, the vendors hoped customers would have ample time to make preparations. Although it appears corporate users are more prepared to fend off Kriz, consumer end-users who are less diligent about updating their anti-virus software are likely to fall victim to Kriz yet again.

If a user does fall victim to Kriz’s evil ways, he or she can expect an especially difficult time. Kriz is a Windows 9x/NT virus that infects Portable Executable (PE) Windows files. The virus also modifies the critical operating systems file KERNEL32.DLL and threatens to damage the BIOS of PCs, preventing the machine form booting up properly. The BIOS attack, in particular, may spoil a few user’s holidays.

“It’s pretty nasty what it does in there,” said Vincent Gullotto, senior director at McAfee’s Avert (Anti-Virus Emergency Response Team) labs. “Your machine will just lock up and will not be usable.”

Although neither Symantec nor McAfee can locate the origin of Kriz, both companies noticed the code managed to find its way into more users’ systems. In some instances, Kriz attached itself to another prevalent virus, Happy99.worm. Kriz tended to be less dangerous because it could not propagate itself. After hooking onto an e-mail distributed virus such as Happy99, however, Kriz may have infiltrated more users’ machines than was previously expected.

About 4,000 cases of infection by Kriz have been reported over the past 35 to 40 days, according to McAfee, North American users account for nearly 90 per cent of the reported cases.

“We are surprised sometimes that people have not updated their software in a year,” Gullotto said, saying Kriz should have been wiped out when users prepared for Y2K.

Both Symantec and McAfee ranked Kriz as a medium threat throughout most of its history. The two vendors hope users will heed their warnings and protect themselves from the holiday surprise.

Symantec, in Cupertino, Calif., can be reached at More information about the virus is available on AVERT’s Web site at Network Associates, in Santa Clara, Calif., can be reached at