Mailinglist Archives:
Infrared
Panorama
Photo-3D
Tech-3D
Sell-3D
MF3D

Notice
This mailinglist archive is frozen since May 2001, i.e. it will stay online but will not be updated.
<-- Date Index --> <-- Thread Index --> [Author Index]

Win95.CIH Virus

  • From: Willem-Jan Markerink <w.j.markerink@xxxxx>
  • Subject: Win95.CIH Virus
  • Date: Sat, 24 Apr 1999 23:09:10 +0000
BE WARNED!

From:

http://www.pspl.com/download/cleancih.htm

(where also a virus-scanner/removal tool can be found)

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Information about the Win95.CIH Virus:

Win95.CIH (Also known as CIH, Spacefiller, Win32.CIH) is a new virus
that infects 32-bit Windows 95, Windows 98 and Windows NT executables
files having the .EXE extension. When an infected program is run in a
Windows 95 or Windows 98 computer, it infects the computer and
becomes memory resident. The infected program will not work properly
on a Windows NT computer. Once the virus becomes memory resident, it
infects all the 32-bit EXE files opened. So the virus spreads to all
files executed and also copied. The size of the virus code is quite
small and it is about 1000 bytes. The virus will not increase the
size of the infected file. It uses an unique method to copy its code
to the infected file. It fills up the unused space available in the
32-bit EXE file (PE format) with its code. If the virus can not find
a single continuous large enough empty space to copy itself, it will
slice itself up to many pieces and place them in the smaller empty
slots. This virus is also known as Win95.Spacefiller for this
behavior. The virus alters the header entry point to the beginning of
the virus code and builds the broken up parts to one piece of code
when the EXE file is run. The virus code contains the text "CIH", so
it gets this name.

Win95.CIH virus has a dangerous payload that will trigger on the
26th of April or any month, depending upon the variant of the virus
strain. This virus can damage the contents of the BIOS flash memory
chip. Most of the new computers sold (80486 and later CPUs) have
their BIOS programmed into the flash memory chips. Win95.CIH writes
garbage to the flash memory chip if the chip is write-enabled. Many
PC manufacturers leave the flash memory chip write-enabled. If this
happens the computer will become unusable until the contents of the
chip are restored or the motherboard is replaced. After damaging the
BIOS the virus also makes the data in all the hard disks unreadable.
Win95.CIH bypasses all types of BIOS protection mechanisms to do its
destructive job. Because of these characteristics this is surely one
of the most damaging virus.


--                 
Bye,

Willem-Jan Markerink


      The desire to understand 
is sometimes far less intelligent than
     the inability to understand


<w.j.markerink@xxxxx>
[note: 'a-one' & 'en-el'!]