CIH, which first surfaced in late June 1998, is capable of overwriting MBR's making all the data on hard disks inaccessible. The flash memory chips of some systems are also vulnerable to attack, potentially causing unrecoverable damage. The virus is a Windows95/98 portable-executable file infector that insidiously hides within these files, waiting to infect additional files as they are executed. In general, infected files work correctly, giving no clue that the system is infected. There are a number of Windows 95/98 files which cannot be repaired upon disinfection due to the mechanism by which the virus inserts itself into the files. Windows NT systems may store infected files, though the NT systems themselves cannot be damaged by the virus. The virus has two payloads. One of its capabilities is erasing or damaging the flash memory and/or flash BIOS of some machines. The other is to overwrite the MBR and boot sector. The file acts at the file system level, allowing it to bypass standard BIOS virus protection. There are three virus versions known, which are very closely related They have different lengths, texts inside the virus code and trigger dates:
Virus Name Trigger date Found In-The-Wild
CCIH 1.2 TTIT April 26th YES
CCIH 1.3 TTIT April 26th NO
CCIH 1.4 TATUNG on 26th of any month YES
This June, a new virus called Win32/CIH (or PE_CIH) first appeared, and it was discovered on campus machines in July. The virus infects Windows 95 and Windows 98 executable files (PE format), but NOT files on Windows NT or any Macintosh computer.
Win32/CIH viruses can split up the body of the virus code and place it within unused parts of the infected file. The viruses contain highly destructive code, which triggers on the 26th of each month, when the virus code attempts to overwrite the flash-BIOS in infected machines. If the flash-BIOS is write-enabled (and most modern computers have a writable flash-BIOS), the overwriting renders the machine UNUSABLE because it will no longer boot. Any hardware damage caused by the virus is not covered under manufacturers' warranties. At the same time, the disk partition information is destroyed.
In July, the Win 32/CIH virus was triggered in a test using a Windows 95 system. After the computer's date rolled over to 26 July, all disk partitioning information was lost, leaving the system unbootable and the data unrecoverable. No known tools are available to help save lost work, but analysts are searching.
The virus was discovered on computers in several campus labs, including the Windows 95 systems in the Student Microcomputer Facility. If you used a diskette on one of these systems and then used it elsewhere, you may have spread the virus. Of course, it is always possible that you picked up the virus elsewhere. Testing your system may be prudent.
If you are not using a virus-protection package, you should acquire one as soon as possible. In the meantime, you should shut your system down on the 25th of each month and not use it again until the 27th. This can be a very devastating virus and ALL precautions should be taken to avoid it. Do NOT turn on an untested machine any time during the 26th of any month.
- Dz -