Just a reminder to all
you computer users of Win95.CIH - Chernobyl - a malicious virus which
actives on April 26th
An old medium risk virus
is still a common infector throughout the world
MEDINA, Ohio April 17, 2001 - Central
Command, a leading provider of PC anti-virus software and computer security
services, and its partners today remind computer users of the Win95.CIH (aka.
Chernobyl), a malicious virus named after its author Chen Ing-Hau, which will
activate on April 26th, the last Thursday of this month.
Since its discovery in 1998, the CIH virus
has infected hundred of thousands of computers in Asian countries and other
parts of the
world. Because of its destructive capabilities, CIH has resulted
in millions of dollars in damages and data lost worldwide over the
past
couple years. "What troubles me, is that detection for the CIH virus has been
added nearly two years ago by a majority of the anti-virus software vendors and
yet we still see CIH listed as a common infector," Said Steven Sundermeier
Product Manager at Central Command Inc. "It is obvious that there is still
a need for more education about virus prevention," concluded
Sundermeier.
Details
Name: Win95.CIH
Aliases: Chernobyl, PE_CIH,
Win32.CIH, W32/CIH.Spacefiller
Spread Method: By infecting 32bit PE EXE
application files
OS: Windows 95, Windows 98
Origin: Taiwan
Risk:
Medium
The virus installs itself into the Windows memory,
and infects Portable Executable EXE files that are opened. On April 26th,
the
virus damages the computers by writing garbage instructions to the FLASH
BIOS if the motherboard and chip sets are compatible with the virus.
Additionally, the virus will then overwrite the data on all installed hard
drives.
MORE DETAILS OF PE_CIH (from
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_CIH&VSect=T )This virus infects .EXE files in Windows 95/98. Once an
infected file is executed, it is memory resident and looks for spaces in the
target file so that it can appends itself to those unused spaces. The size
increase of infected files is hardly noticeable. It also hooks the IFS
(Installable File System), which gives it the ability to infect any PE (Portable
Executable, e.g., .EXE) type files. Windows NT files, however, are not subject
to infection (by PE_CIHV1.2) due to the use of a VXD programming technique (used
when it becomes memory resident): this technique is available in Windows 95/98
only. Therefore, Windows NT systems are immune to the Chernobyl infection. This
file infector has a couple of destructive payloads that are triggered on the
26th day of a month. On the trigger day, it attempts to overwrite the system's
hard disk with random data, making data recovery very difficult. It also tries
to do permanent damage to the system by corrupting data stored in the Flash
BIOS. Once the hard drive has been reformatted (by PE_CIHV1.2), the following
message is displayed when the system is rebooted:
DISK BOOT FAILURE, INSERT SYSTEM DISK AND
PRESS ENTER If the user boots the system from the A: drive and tries to change
to the C: drive, another message is displayed:
“Invalid drive specification
since the hard disk has already been overwritten with some random data.”