Subject: WARNING - VIRUS ALERT No.43
Date: Monday 24th. April 2000 16:32:10 GMT
April 26th - CIH virus day - is approaching FAST !
Last year, April 26 was a sad day for millions of people when their computer crashed, taking some valuable data with it. The cause for this mayhem was a Virus called CIH, and also known as 'Chernobyl'. This year the virus is expected to strike again, at the same date: April 26th.
April 26th is approaching - CIH virus day. Despite the warnings, many systems all over the Internet were hit by the virus. Before going on the holiday vacation, run an anti virus on your machine to check for the existence of this virus. The payload is catastrophic, and causes loss of data, as well as damage to the BIOS that makes the computer unbootable.
Summary
CIH is a Windows '95/98 virus that has spread worldwide. The virus spreads quietly, and attacks on April 26th (another version of this virus attacks on the 26th of every month). The virus is considered fairly destructive as it wipes the contents of the Hard Drives and Flash BIOS.
Details
The CIH Virus is a Windows '95/98 (it does not work on Windows 3.11,
Windows NT or DOS). It was first posted on a conference site in Taiwan,
and quickly spread around the world. The virus is 1k in size, and it infects
EXE files as they are opened by the operating system.
The size of the infected file does not change, due to clever design
of the virus - the virus looks for empty "space" in the EXE file (portable
executable files are composed of sections with a fixed size. Since the
code is written in blocks, there are usually empty spaces in the end of
each such section to "align" the section to the correct size).
When the executable is ran, the virus loads itself into memory, and cleverly jumps from Ring 3 (a logical "ring" where standard applications are executed) to Ring 0 (a logical place where the privileged operating system code runs). This enables it to hook the file open routines.
When the virus is triggered it erases all data on all the hard drives in the system, using direct writing functions (this bypasses the BIOS "virus protection" setting that protects the boot sector and master boot record). After erasing the drives, the virus tries to programmatically overwrite the Flash BIOS memory - this is possible in most modern motherboards.
The result of this attack is an inoperable computer with all its data gone !
There are two main versions of this Virus that were found "in the wild". The first version called CIH 1.2 - attacks on April 26th. The second version, called CIH 1.4 (sometimes referred to as TATUNG) attacks on the 26th of every month.
Most recent anti virus applications detect and remove CIH. Central Command Inc. offers a special version of AntiViral Toolkit Pro called AVPLite, that detects and cleans CIH.
To use it, download the toolkit from: ftp://ftp.avp.com/pub/nocih/nocih.exe
(CIH will not infect this file). Then,
Insert a blank diskette into your floppy drive and type:
Nocih.exe a: (where a: is the floppy drive).
Now, make the diskette bootable by typing:
sys a:
Then, copy the file HIMEM.SYS to the floppy by typing:
copy c:\windows\himem.sys a:
Now write-protect the diskette, power down the machine and power it up
again with the diskette in the floppy drive to scan for the virus.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5)THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises
Ltd.
SEE PREVIOUS
VIRUS ALERT
RETURN TO VIRUS ALERT
MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
