W32.Kriz is a Windows 9x/NT virus, which infects Portable Executable(PE) Windows files. The virus goes resident into memory, attempting to infect any files that are opened by the user or applications. If infected with this virus, the user should verify they have "booted clean" before attempting to scan and repair files.

The virus also modifies the KERNEL32.DLL. This file must be replaced with a known, clean backup. In addition, this virus may corrupt some PE files, requiring them to be replaced by known, clean backups (or from the installation package).

The first time the virus is executed on a system, it will create an infected copy of KERNEL32.DLL in the Windows system directory. The file will be named KRIZED.TT6. If this file is found in the Windows system directory, it should be deleted. The next time Windows is started, this file will be copied over the original KERNEL32.DLL. Then, the virus infects other files when certain Windows API functions are called by a program.

There are variants of this virus. Some of the differences between variants pertain to the payload. The 3863 variant will access more types of drives when overwriting files. Other differences include the method of infection. The 3740 variant will create a new section named "..." and copy its viral code to that newly created section. The 3863 variant will simply append its code to the end of the last section.