W32/Kriz.3863

description-logoAnalysis

This variant has a virus body of 3863 bytes. It infects the KERNEL32.DLL file on Windows 9x systems. When Windows restarts, the infected KERNEL32.DLL file loads and infects 32-bit files accessed or run on the now compromised system.
The virus uses a file-replacing trick in order to infect the KERNEL32.DLL file. The virus creates a WININIT.INI configuration file to replace the good [clean] copy of KERNEL32.DLL with a modified version named "KRIZED.TT6". The modified version is written to the System folder. Upon Windows restart, the good copy is replaced with the infected copy. Recovery requires replacing the modified KERNEL32.DLL with a backup copy.

recommended-action-logoRecommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-12-03 73.52500 Sig Updated