Dear Group:
This "CIH Virus" has been around since last year This is nothing new.
Symantec (Norton Anti Virus) has a free program to check for the little
bug. I subscribe to Norton Anti virus Support Now News bulletin and I am
kept up to date on most of what goes on.
I will have to cut and paste the newsletter for our group. The other
site deals with the problem as well and you can get there from here.
http://www.cert.org/incident_notes/in-99-03.html
As for the Symantec News Letter, I will cut and paste. (sigh) I will try
to edit out the commercials if they don't pertain directly to the cure.
1.0 THE REAL SCOOP ON THE W95.CIH (Chernobyl) VIRUS
This is an update on the W95. CIH virus, and the amount of news media
coverage the virus generating. This virus is also known as PE_CIH,
WIN95: CIH 1.x, Win95. CIH, Win32/CIH, Win32.Cih, W95/CIH.1003,
Chernobyl or the W32.CIH. Spacefiller virus.
This is not a new virus, but rather an old virus.
-------------------------------------------------Commericial deleted
-------------------------------------------------
This virus was discovered around June 1998 in Taiwan. One variant
delivers a very destructive payload on April 26th, which is the
anniversary of the Chernobyl disaster. Others deliver the payload on the
26th of any month. The virus may format your hard disk and may also
corrupt your BIOS on certain machines with a certain type of BIOS.
This is not a Microsoft Word macro virus. The CIH virus is spread in
Windows95 executable files (files with the .EXE extension). When an
infected program is run, the virus becomes memory resident and
subsequently infects
other programs when they are executed or copied.
Symantec's AntiVirus Research Center considers the
W95.CIH
virus to be in "the wild". However, if you are using
virus definitions newer than June 1998, you are FULLY
PROTECTED from this virus.
Consider the following: (Interesting factoid)
- Symantec's Norton AntiVirus has long detected and repair repaired
systems against this virus under the name of W95.CIH.
- Many corporations and retail users updated their virus definitions
during the Melissa incident, which also would have protected their
machines against the Chernobyl virus.
- This virus only infects Windows programs.
- It is much less common to share Windows programs than it is to share a
document containing a macro virus.
1.1 INFORMATION ABOUT W95.CIH
W95.CIH is a virus that infects Windows 95 executables (files with .EXE
extension). When an infected program is run, the virus loads into
memory. W95.CIH then
infects new files when they are opened (for instance when they are run
or copied). This means that an infected system must be rebooted from a
clean system disk before
scanning with NAV or any antivirus product. If you don't boot from a
clean floppy diskette, the virus will infect every file that the
antivirus software scans.
Infected files are the same size as the original files, due to W95.CIH's
unique mode of infection, which is as follows:
1. It looks for empty, unused spaces in the file.
2. It breaks itself up into smaller pieces.
3. It hides in these unused spaces. NAV can repair an
infected file by looking for these virus pieces
and removing them from the file.
1.2 IF YOUR SYSTEM IS ALREADY INFECTED:
USING THE KILL_CIH TOOL
If your system is already infected or you would like to innoculate your
system from being infected with the Chernobyl virus, you can
download the KILL_CIH tool at his web address:
http://www.sarc.com/avcenter/kill_cih.html
The KILL_CIH tool safely detects and removes all known strains (as of
August 3rd,1998) of the W95.CIH (Chernobyl) virus from memory under
Windows 95 and Windows 98. If you run this tool before the virus infects
your system, the tool will "inoculate" the computer's memory to prevent
the W95.CIH virus from infecting your system until the next system
reboot.
NOTE:
If you are already infected with the W95.CIH virus, run the KILL_CIH
tool first before you try to update your antivirus definitions or scan
your system.
If you try to scan with an antivirus product without first running this
tool, you run the risk of spreading the infection. Once you have used
this tool, you can safely update your Norton AntiVirus definitions and
scan your machine.
NOTE:
The KILL_CIH tool will not detect or remove the W95.CIH virus from
files. It will disable the virus in memory so an antivirus program can
remove the infection
without inadvertently spreading the virus. You can obtain a freeware
version of Norton AntiVirus to detect and remove the virus from files on
the Symantec web site at:
http://www.symantec.com/nav/navc.html
You can run the CIH removal tool from either the DOS command line or
from a login script, which enables a network administrator to automate
the disinfection
process. This means that an administrator does not have to go to each
workstation on a network and reboot from a clean floppy in order to
clean the computer.
After using this tool, you should update your virus definitions and
start a complete scan of the computer with an antivirus program such as
Norton AntiVirus.
This will eliminate the virus and repair any damaged files.
The tool avoids infection by the virus and can safely be run without
becoming infected-- if the virus is resident on a computer.
1.3 Recovering when the payload has been delivered
The virus can do two things when it executes on the
26th of the month:
1. It can overwrite critical data areas in the first 2048 sectors of
your hard disk. When that happens,you will see a "non-system disk" when
the system
boots from the hard drive or an "invalid media" message when you try to
boot from a system floppy disk or a rescue disk.
I hope this information will help those in need and inform those who
want to know.
Sincerely,
Frank Suszka
[log in to unmask]
Do you want to signoff PCBUILD or just change to
Digest mode - visit our web site:
http://nospin.com/pc/pcbuild.html
|
