Virus

W32/Kriz.3863

Analysis

This variant has a virus body of 3863 bytes. It infects the KERNEL32.DLL file on Windows 9x systems. When Windows restarts, the infected KERNEL32.DLL file loads and infects 32-bit files accessed or run on the now compromised system.
The virus uses a file-replacing trick in order to infect the KERNEL32.DLL file. The virus creates a WININIT.INI configuration file to replace the good [clean] copy of KERNEL32.DLL with a modified version named "KRIZED.TT6". The modified version is written to the System folder. Upon Windows restart, the good copy is replaced with the infected copy. Recovery requires replacing the modified KERNEL32.DLL with a backup copy.

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.