Although Kriz has a storied past, its real threat will arrive Christmas Eve, according to a number of antivirus vendors that issued warnings on Kriz throughout Wednesday. Like many viruses, Kriz goes into a user's computer and tries to infect executable or .EXE files. Unlike most viruses, however, Kriz waits until Christmas Day to launch its troublesome payload.
"It essentially sleeps 364 days out of the year and then wakes up on Christmas Day trying to destroy your systems," said Patrick Martin, product manager at Symantec's antivirus research centre. "It can affect a machine any day of the year, and you are not going to notice a problem. You won't know you are infected until Christmas."
Kriz first appeared in August 1999. The program remained dormant until it made a charge on a number of users on December. 25 of last year, prompting many antivirus vendors to believe users would update their virus protection between then and now. Martin, however, says that is simply not the case.
Both Symantec and McAfee wanted to send out a holiday warning to protect their clients from Kriz. Because the virus has been around for some time, the vendors hoped customers would have ample time to make preparations. Although it appears corporate users are more prepared to fend off Kriz, consumer end-users who are less diligent about updating their antivirus software are likely to fall victim to Kriz yet again.
If a user does fall victim to Kriz's evil ways, he or she can expect an especially difficult time. Kriz is a Windows 9x/NT virus that infects Portable Executable (PE) Windows files. The virus also modifies the critical operating systems file KERNEL32.DLL and threatens to damage the BIOS of PCs, preventing the machine from booting up properly. The BIOS attack, in particular, may spoil a few user's holidays.
"It's pretty nasty what it does in there," said Vincent Gullotto, senior director at McAfee's Avert (Anti-Virus Emergency Response Team) labs. "Your machine will just lock up and will not be usable."
Although neither Symantec nor McAfee can locate the origin of Kriz, both companies noticed the code managed to find its way into more users' systems. In some instances, Kriz attached itself to another prevalent virus, Happy99.worm. Kriz tended to be less dangerous because it could not propagate itself. After hooking onto an e-mail distributed virus such as Happy99, however, Kriz may have infiltrated more users' machines than was previously expected.
About 4000 cases of infection by Kriz have been reported over the past 35 to 40 days, according to McAfee. North American users account for nearly 90 per cent of the reported cases.
"We are surprised sometimes that people have not updated their software in a year," Gullotto said, saying Kriz should have been wiped out when users prepared for Y2K.
Both Symantec and McAfee ranked Kriz as a medium threat throughout most of its history.