| CIH |
Chernoble |
|
- The following info has been collected from various
sources and may not credit the authors.
- Please email us if you authored information here and
would like it removed or acknowledged.
Flash in the Pan?
Richard Wang
Sophos Plc
[References to other CIH-related material are listed at the end of this article. Ed.]
Since the introduction of flash BIOS technology in desktop PCs, the possibility of a
malicious attack on the BIOS has been
recognized within the computer security industry. The first virus to succeed in targeting
a PC this way is now known to be in the
wild and spreading across the globe.
In June of this year, a file received from a customer was found to be infected with a new
Portable Executable (PE) infector.
Called CIH, it works under Windows 9x and at least four variants are now known. These are
internally labelled `v1.2', and
`v1.4' with two self-identified as `v1.3'. Although Windows NT also uses PE files, CIH
uses mechanisms which do not work
under NT.
The variants have identical payloads, and differ by only a few bytes. There are also
different trigger dates - 26 April, 26 June
and the 26th of any month. Once the virus had been identified, it was found to be
widespread in Taiwan, where it is believed to
have originated, and in the wild in several other countries.[Confirmed reports have been
received from Australia, Chile,
France, Germany, Korea, Norway, Russia, the UK and the US. Ed.]
Initially, CIH attracted attention because it used a new file infection mechanism - the
fragmented cavity attack. However, it
quickly became apparent that the potential threat posed by its payload made it of more
than just technical interest. The payload
was thought to consist of a routine to write garbage to each hard disk but, just days
before the 26 June trigger date of two of
the variants, the full extent of the payload started to become clear.
Any machine using one of several popular Pentium chipsets and a flash BIOS chip from one
of at least two different
manufacturers is vulnerable to the attack on the BIOS itself. In vulnerable machines, a
small but critical section of the BIOS is
overwritten by CIH, leaving the PC unbootable.
This was no longer a run-of-the-mill disk-trasher!
Payload
Although the technical details of CIH's infection mechanism are intriguing for the virus
researcher, its payload is what sets it
apart from other viruses. The payload consists of two parts, both of which are triggered
when the right conditions are met. As
the payload is part of the infection mechanism, it is not triggered until the virus is
resident in memory. The trigger condition is
met when a file which has an EXE extension, but which is not a suitable host, is opened on
the trigger date.
The second part of the payload is common. It overwrites the first 2048 sectors (1MB) of
each hard disk in the system with
random data from memory. Anything overwritten in such a manner will be difficult or
impossible to recover. The virus looks for
further disks indefinitely and the machine - despite running the hard disk continuously -
is unresponsive to user input.
The first part of the payload code to trigger is what has given CIH the world's sudden
attention. Flash ROM technology has
existed for several years. Having the BIOS `flashable', by storing it in such a chip, has
allowed the basic bootstrap procedure
and I/O routines of the PC to be rewritten by software. Earlier EPROM technologies allowed
reprogramming the BIOS, but
required the chip to be removed, erased under ultraviolet light and reprogrammed in
dedicated hardware.
Flash ROM technology meant that BIOS upgrades and bug-fixes could be implemented more
cheaply and easily - in fact, by
the user - rather than requiring special skills and equipment. The dangers of allowing
software to rewrite critical sections of a
machine's internal bootstrapping code have been discussed (Jakub Kaminski, VB'95
Conference Proceedings), but until now,
no virus was known to have exploited this successfully to cause damage.
The most likely reason for the previous lack of such a payload is the complexity of the
task. A detailed knowledge of both the
motherboard chipset and the BIOS Flash ROM itself is required in order to write directly,
and successfully, to the BIOS. The
Flash ROM used to store the BIOS will normally have a built-in mechanism to prevent
accidental writes to it by electrical
`noise' during power up or down, or through instabilities in the power supply.
Thus to write directly to the BIOS, a program must gain write access to the Flash ROM via
the motherboard chipset and then
disable the chip's own protection. The information needed to do this is readily available
from the chip manufacturers. To be
able to rewrite Flash ROM, a programming voltage, or Vpp, typically of 5V or 12V is also
necessary. This voltage is often set
by a jumper on the motherboard. However, in order to facilitate BIOS upgrades, many
machines are shipped with the write
voltage enabled, leaving the BIOS vulnerable.
The routine CIH uses to gain direct access to the BIOS chip is known to work with the
Intel 430TX chipset, but it is likely it
works with most, if not all, Pentium chipsets. Some late-model 486 chipsets may also be
vulnerable. The programming
sequences sent to the BIOS itself allow writing to work for at least two ROMs from
different manufacturers. The damage is
done by writing one byte to the BIOS boot block - the area containing code for initial
hardware tests and bootstrapping the
machine.
Unlike most RAM, Flash ROMs cannot be written to in arbitrary-sized chunks. Many ROMs have
page sizes of 128 bytes for
their boot blocks. Thus, although CIH only writes a single byte, the 127bytes surrounding
it are reset to FFh. When the
machine next boots, the initial BIOS boot block will contain invalid code. This
effectively kills the machine until a new BIOS is
installed. In cases where the chip is soldered onto the motherboard, rather than plugged
in a socket, a change of motherboard
will probably be required.
Infection Mechanism
PE files are executables used by Windows 9x and WindowsNT. A PE file consists of a DOS
executable, usually just a stub
that indicates the program should be run under Windows, a PE header section and several
data objects. These objects can
contain executable code, information on imported and exported functions, data or
relocation information. Each object following
the PE header must be aligned within the file to start on a boundary that is an even power
of two, between 512 bytes and
64KB.
Any difference between the length of useful code or data
in an object and the chosen section alignment is normally
padded with nulls by the linker. Information on the
alignment of the objects and the size of each object is
stored in the PE header and in a series of object tables
just after the header. Typical PE files contain five or six
objects, all of which have some space that is effectively
wasted. It is in these areas that CIH stores its code, thus
infecting a file without increasing its length.
Cavity infectors, which seek a `hole' within a file large
enough to hold the entire virus, are not new - in fact
Lehigh, one of the first file infectors, used exactly this
technique. However, the approach CIH takes means a
greater number of files are potentially infectible.
CIH breaks its code into chunks that it uses to fill `slack
space' at the end of the sections in its hosts. It checks for
files with insufficient slack space, refusing to infect them.
However, this is unlikely, since all known variants are
just under 1KB long and most PEs will have at least that
much free space. A peculiarity of the Borland linker
means files produced by it are uninfectible.
When infecting a file, CIH builds a table of data about
the length and location of its code fragments. This, and
the minimal code to allocate memory for itself and to
piece its code fragments back together, is stored
between the PE header and the first object of the host. If
there is insufficient space in the header to take this crucial
data and code the file is also deemed uninfectible.
Running an Infected Executable
Executing an infected file on an uninfected machine causes the virus to hook Int03h via
the interrupt descriptor table and install
its own interrupt handler. This makes debugging more difficult and allows the virus to run
code at ring zero (with CPU
supervisor privileges). It then calls the hooked interrupt and checks the value in Debug
Register 0 (DR0). CIH assumes it is
already resident if this is non-zero, transferring control back to its host program.
Otherwise, it places a non-zero value in DR0 and allocates memory in the VxD area, in
which to reassemble itself. The use of
debug registers for data storage (DR1 is also used during file infection) seems to be an
attempt to further complicate tracing
and analysis. As somedebuggers use DR0 and DR1, tracing CIH with them will result in a
misleading view of how the virus
works. After allocating memory, the virus pieces its own code back together from the data
in its fragment table. Once
reassembled, CIH calls its own Int03h handler again and, using the accompanying privilege
level, installs a hook trapping calls
to the file system. Control is then returned to the host program.
Protected mode interrupts are allocated a CPU privilege level at which their code runs.
For Int03h this is usually ring zero. The
pointer to the interrupt handler can, however, be altered from ring three, thus CIH can
gain ring zero access to the file system
from an infected user application.
CIH sits in the file system API chain waiting for EXE files to be opened. On receiving
such a call, it checks whether the file is a
PE that is not already infected. Files with a non-zero value in the byte immediately
before the PE signature are considered
infected. The virus itself writes the first byte from the Ring0_FileIO routine into this
location when infecting files. This is usually
55h (`U') - the PUSH EBP opcode. When a potential target is found, its header and object
table are processed to determine
how much of the virus can be placed at the end of each object. There is no lower limit to
the code fragment size CIH will place
at the end of each object. In testing, it readily inserted a one-byte fragment into a
specially modified PE, using eight bytes of its
fragment table space to record the fact!
However, there must be sufficient space between the header and the first object to hold
all of the code necessary to
reassemble the virus, allocate memory and install the file system hook. PE files with
insufficient space are marked as infected -
presumably to save reprocessing the header in future - but otherwise left unmodified. If
there is space in the file, the virus code
sections and an amended PE header are written and the file system call passed on.
Defending Yourself
Obviously, the first line of defence is regularly updated anti-virus software. Beyond
that, removal of the jumper supplying the
programming voltage to the Flash ROM will protect the BIOS itself from attack, but will
not prevent the destruction of hard
disk data. Unfortunately, as designs increasingly conform to de facto standards, and with
downward pressure on prices, Vpp is
often hardwired to save costs.
Conclusion
Although, technically, the virus only damages the firmware of the BIOS, the end result is
that fixing its damage requires some
form of hardware replacement. CIH can therefore be said to have a similar effect to that
of a hardware-damaging virus. It is to
be hoped that it is not the first of many.
CIH
Aliases:
Win95/CIH, CIH.Spacefiller, PE_CIH. Variants of 1003 and 1019 bytes, and two of 1010 bytes
are known.
Type:
Fragmented cavity infector utilizing PE section slack space.
Infection:
Hooks the Windows 9x file system API.
Self-recognition in files:
A non-zero byte immediately before the PE header.
Self-recognition in memory:
A non-zero value in DR0.
Hex pattern:
All variants.
E800 0000 005B 8D4B 4251 5050
0F01 4C24 FE5B 83C3 1CFA 8B2B
Payload:
Overwrites 2048 sectors at beginning of each hard disk and overwrites part of the Flash
BIOS boot block.
Trigger:
Opening an uninfectable EXE file on 26 April (CIH.1003, CIH.1010.A), 26 June (CIH.1010.B)
or on the 26th of any
month (CIH.1019).
Removal:
Boot from a clean floppy disk, delete infected files and restore from backups.
Further reading:
[An article considering the handling of a CIH outbreak, including concerns for heavily
infested networks is available.
It also covers the whys and wherefores of Flash ROM use and their implications for system
design.]
[The August 1998 Editorial also pondered matters CIH-ish.]
Virus Bulletin: Win95/CIH / webmaster@virusbtn.com
© 1999 Virus Bulletin Ltd.
Win32/CIH Virus
ALERT
IMPORTANT: Anyone running Microsoft Windows 95 or Windows 98
should heed this notice.
This June, a new virus called Win32/CIH (or PE_CIH) first appeared, and it was discovered
on campus machines in July.
The virus infects Windows 95 and Windows 98 executable files (PE format), but NOT files on
Windows NT or any
Macintosh computer.
Win32/CIH viruses can split up the body of the virus code and place it within unused parts
of the infected file. The viruses
contain highly destructive code, which triggers on the 26th of each month, when the virus
code attempts to overwrite the
flash-BIOS in infected machines. If the flash-BIOS is write-enabled (and most modern
computers have a writable
flash-BIOS), the overwriting renders the machine UNUSABLE because it will no longer boot.
Any hardware damage caused
by the virus is not covered under manufacturers' warranties. At the same time, the disk
partition information is destroyed.
In July, the Win 32/CIH virus was triggered in a test using a Windows 95 system. After the
computer's date
rolled over to 26 July, all disk partitioning information was lost, leaving the system
unbootable and the data
unrecoverable. No known tools are available to help save lost work, but analysts are
searching.
The virus was discovered on computers in several campus labs, including the Windows 95
systems in the Student
Microcomputer Facility. If you used a diskette on one of these systems and then used it
elsewhere, you may have spread the
virus. Of course, it is always possible that you picked up the virus elsewhere. Testing
your system may be prudent.
What Can You Do?
If you are not using a virus-protection package, you should acquire one as soon as
possible. In the meantime, you should shut
your system down on the 25th of each month and not use it again until the 27th. This can
be a very devastating virus and ALL
precautions should be taken to avoid it. Do NOT turn on an untested machine any time
during the 26th of any month.
Detection...
To detect the virus, you should immediately run a virus detection program that scans for
the CIH virus. If your detection
software will not run BECAUSE of the virus (and we have found a case of that for the Dr.
Solomon's software), you must boot
your system with a clean boot disk containing the disinfecting software.
If you have a subscription to UT Connect from ACITS, you can now download the latest
version of the Dr. Solomon
Anti-Virus Toolkit. To do that, go to
http://www.utexas.edu/cc/swdist/
and follow the instructions to authenticate yourself and download the Toolkit, which will
detect the Win32/CIH virus.
Another option is to go to the Dr. Solomon's Web page at
http://www.drsolomons.com/vircen/extra/index.cfm
and download the Win32/CIH driver. Follow the instructions for placing the driver in your
Dr. Solomon's directory, then scan
your disk.
If you have difficulty accessing the driver on Dr. Solomon's Web site, you can download
the driver file from the ACITS
HelpDesk at
http://www.utexas.edu/cc/help/software/
If you have some other virus-detection software, contact the provider immediately for
information.
Disinfection...
After downloading and installing the latest version, run a complete scan of your hard
disk. If the virus checker will not run, go
immediately to Software Distribution in COM 14 or to the Help Desk in WCH 1.104. Bring
your UT ID. Upon verification
that you have a current subscription to UT Connect, we will copy the Dr. Solomon's
disinfecting software to your diskette.
If you do not have a current UT Connect subscription, you can get one in COM 14 or at the
Help Desk. Remember: The
version of Dr. Solomon's on the UT Connect CD is NOT the latest. Once you have a
subscription, you will still need to
download the latest version to detect the virus.
If you have questions about this virus or the detection and disinfecting procedures, call
the Help Desk at 475-9400.
Aptiva - Information on Aptiva PCs and the CIH virus
Applicable Countries
North America
Service Hints & Tips
A very limited number of IBM Aptiva E Series models 240, 301, 520 and 580
might contain a version of a computer virus known as CIH. Our tests
indicate that the CIH virus, if it is not removed, erases the contents of the
infected computer's hard disks when the date on your computer reads April
26 of any year.
If you have recently purchased one of the models listed above, please read
the following notice.
NOTICE: To determine whether your computer is infected, from the
Microsoft Windows desktop, click Start, Programs, Norton AntiVirus, and
Norton AntiVirus. This starts the Norton AntiVirus program.
If you do not receive an error message, your computer does not have
the CIH virus. However, we strongly recommend that you use the
LiveUpdate feature of the Norton AntiVirus program to ensure that
you have up-to-date antivirus definitions files. For your convenience,
we have included instructions for using the LiveUpdate feature at the
bottom of this document.
If you receive the following message, your computer probably has the
CIH virus:
"The file NAV32W.EXE has been altered. Please restart your computer
using your NAV Rescue Disk and scan for viruses. If no virus is found, try
reinstalling Norton AntiVirus from your original disks."
Attention: If your Aptiva PC is infected, be sure not to transfer any files that
end in ".EXE" to another computer. Doing so might possibly spread the
virus.
NOTE: If you have not determined whether your computer is infected by the
night of April 25, unplug your system. You may safely plug the system
back in on or after April 27 at which time you must take one of the following
actions.
To correct the problem, take one of the following actions:
Use Update Connector to download a solution which "cleans" the
hard disk of the virus.
1. From the Windows Desktop, click on Start.
2. Select Update Connector.
3. Follow the on-screen directions to run Update Connector and
download the update.
Alternately, IBM will make this solution available to you on a CD
which we will ship to you via express mail at your request. To
request a copy of the CD, please call (800) 600-8235 and ask for the
"IBM Aptiva Antivirus Update CD".
A third way to remove the virus from your Aptiva is to reinstall the
software that was originally delivered with your system using the
Product Recovery and Diagnostics CD-ROM, as described below. If
you have not stored irreplaceable data on your C: drive and you have
not installed applications you cannot reinstall, this may be an
acceptable and immediate approach. This approach will remove ALL
the data and programs you have installed.
Attention: This process will COMPLETELY erase all of the files on
your hard disk, including all of the files that you have created, downloaded,
or installed on your computer. You might want to back up your data files,
such as written documents, financial information, pictures, audio files, and
spreadsheets, before you start this procedure.
Do not back up files that end in .EXE.
1. If the computer is turned off, turn it on.
2. Insert the red Product Recovery & Diagnostics CD-ROM into the
CD/DVD drive, and close the drive door.
3. Turn off the computer.
4. Wait ten seconds. Turn on the computer. The IBM Product Recovery
Program Main Menu appears automatically.
5. From the Recovery Options, select Full Recovery. It should already
be highlighted in white.
6. Press Enter to continue.
7. Each time a pop-up menu appears, type Y when prompted, and press
Enter until you see the computer copying multiple files. When all files have
been copied (after approximately ten minutes), a message entitled
"Recovery is Complete" is displayed.
8. When you are prompted to restart the computer, remove the Product
Recovery & Diagnostics CD-ROM from the CD/DVD ROM, close the drive
door, and press Ctrl+Alt+Delete.
9. Use the Norton AntiVirus LiveUpdate function.
Once you have followed one of the procedures listed above and have
removed the virus from your system, we strongly recommend that you use
the LiveUpdate feature of the Norton AntiVirus program to ensure that you
have up-to-date antivirus definitions files. For your convenience, we have
included instructions for using the LiveUpdate feature. After you have
updated your Norton AntiVirus program, be sure to scan all backup
diskettes that you might have made.
If you have any questions or require further assistance, please call (800)
600-8235 and we will be happy to assist you.
LiveUpdate Instructions:
Keeping your Norton AntiVirus signature files up-to-date is important to
ensure that Norton AntiVirus is able to detect new viruses. Although IBM
provided you with the latest version of Norton AntiVirus that was available
when your Aptiva computer was designed, it is important to check for
updates frequently. To keep Norton AntiVirus current, use the Norton
AntiVirus LiveUpdate function to obtain the latest signature files. These files
only take a few minutes to download. To obtain the latest signature files,
perform these steps:
To connect directly to Norton:
1. Ensure that your computer modem is correctly connected to a phone
line.
2. Click Start, Programs, Norton AntiVirus, and Norton AntiVirus to start the
program.
3. Click on LiveUpdate.
4. Select Modem from the selection box, and click Next.
5. If you are prompted for your area code and dialing information, supply
these and click OK.
6. The number that is being dialed is displayed. Click OK to proceed.
7. The appropriate updates will be downloaded and installed on your
computer.
To connect through the Internet:
1. Ensure that your computer modem is correctly connected to a phone line
and that you have your internet service properly set up.
2. Connect to your internet service provider.
3. Click Start, Programs, Norton AntiVirus, and Norton AntiVirus to start the
program.
4. Click LiveUpdate.
5. Select Internet from the selection box, and click Next.
6. The appropriate updates will be downloaded and installed on your
computer.
When all the latest signature files have been downloaded and installed on
your computer, it is important to scan all diskettes and other removable
media (except CDs or DVDs) to prevent the spread of the virus or possible
reinfection. If you have used these diskettes with other computers it is
important to notify the owners of those computers and instruct them to run
their current antivirus program with the latest signature files.
If the other computers are not protected by an antivirus program, the owners
of those computers should remove the CIH virus from memory via:
1. Download KILL_CIH from Symantec at:
http://www.symantec.com/avcenter/kill_cih.html
2. Immediately purchase and install an antivirus program for actual CIH virus
removal from your disk drives and continued protection.
For a 30-day trial of Norton Antivirus, download the Norton Antivirus
Trialware at:
http://shop.symantec.com/trialware/
Support for the Trialware is only provided online at:
http://www.symantec.com/techsupp/
If you do not have access to the Internet, you may call Symantec at (800)
441-7234 to request a copy of Norton Antivirus Trialware.
Document ID: DETR-46NRJW
Copyright © 1998 IBM Corporation
Worldwide Support
Privacy | Legal | Contact
W32.CIH.Spacefiller (a.k.a Chernobyl)
Visit my Happy99 virus page and download my free Happy99Cleaner program
Melissa virus information
What is W32.CIH.Spacefiller?
Chernobyl is a deadly virus. Unlike the other viruses that have surfaced recently, this
one is
much more than a nuisance. If infected, Chernobyl will erase data on your hard drive, and
may
even keep your machine from booting up at all. There are several variants in the wild.
Each
variant activates on a different date. Version 1.2 on April 26th, 1.3 on June 26th, and
1.4 on
the 26th of every month.
How do I get it?
Chernobyl, a.k.a CIH, arrives as an executable file. This may be any program that runs
under
Windows95/98/NT. You're most likely to get the virus from downloading an infected program
off of the web. However, recent IBM Aptiva's were accidentally shipped with the virus
preinstalled.
Who's at risk?
People running Microsoft Windows 95 or 98. Windows NT users can be a host to the virus
and spread it. However it will not infect their systems.
What exactly does the virus do to my computer?
When it's contracted, it stays loaded in your computer's RAM so that whenever a program is
run, that program also becomes infected. The virus is only 1kb in size and stores itself
within
empty spaces of files so detection is very difficult. Once infected the virus does two
things.
First, it overwrites and deletes data on your hard disk. It's only a matter of time before
it hits
the computer's master boot sector making all data inaccessible. Second, it tries to
rewrite the
computer's ROM BIOS completely crippling the computer and potentially destroying the chip
altogether.
W97M.Mailissa
Alias: W97M.Melissa
Infection Length: one VBA5 module named Melissa
Area of Infection: Microsoft Word 97 documents
Likelihood: common
Region Reported: US
Keys: Macro, Wild
Description:
W97M.Mailissa is a common macro virus with a unique payload.
Similar to W97M.Pri, the virus turns off the security protection upon opening an infected
document
in MS Word 2000. This disables MS Word 2000 macro prompt the next time the document is
opened.
It infects MS Word 97 document by adding a new VBA5 (macro) module named Melissa.
Although there is nothing unique in the infection routine of this macro virus, it has a
payload that
utilizes MS Outlook to send an attachment of the infected MS Word 97 document being
opened.
This virus can replace the text of the document with:
" Twenty-two points, plus triple-word-score, plus fifty points for using all my
letters. Game's over.
I'm outta here." For more information please visit the Symantec AntiVirus Research
Center.
Win95/CIH
There has been much recent interest in the CIH or Chernobyl virus, primarily because one
of its most common variants
triggered recently on 26 April. CIH is not a 'new' virus, and is detected by all major
anti-virus packages. Howeverm because
of its destructive nature CIH is headline gripping.
Click here to read an analysis of the CIH virus, as featured in the August 1998 issue of
Virus Bulletin
It used to be the case that a computer virus hitting your machine was simply a `software
problem'. Viruses are just computer
programs and thus seemed limited to affecting other programs and/or data stored on your
machine. There are many wild claims
about software damaging hardware, but most fall into one of two categories on closer
analysis - overuse leading to failure
(where it is fundamentally irrelevant that the overuse was driven by a software process),
and `friend of a friend' stories (FOAFs
are, by nature, all but unverifiable).
Software cannot damage (well-designed) hardware. About the worst payload that most people
imagined was a complete hard
drive reformat.
This was the naïve view. Fortunately, it was also what we saw in `everyday' viruses. The
afternoon of 25 June 1998 changed
our view of things.
Late that afternoon, our worst fears were confirmed. The payload of a virus Sophos had
received from a US customer a few
days earlier was designed to, and could successfully, overwrite part of the BIOS code
stored in common Flash BIOS chips.
Even worse than that this payload had been implemented, two of the four variants were due
to trigger that payload on 26 June
- the next day. (Two variants trigger on 26 April, one on 26 June and one the 26th of
every month.)
The payload also overwrites the first 1 MB of information on every hard drive in the
system. This happens regardless of the
effectiveness of the attack on the Flash BIOS.
At that time, the virus was indisputably in the wild. In fact, one of its variants made it
onto the July 1998 WildList! Several
anti-virus developers that VB staff were in regular contact with confirmed receiving
samples of at least two variants from
customers. Across those contacts and from samples sent to VB, field reports of all four
currently known variants that have the
BIOS flashing payload were confirmed.
The BIOS is a special program in an IBM-compatible PC that `gets the PC up on its feet'.
More accurately, it finds the PC's
feet, then gets it up on them. The payload of the Win95/CIH family, if successful in
messing with the Flash BIOS of an infected
PC, will leave the machine unbootable. The part of the BIOS that is overwritten is the
very first part of the BIOS program that
runs at power-up or system reset.
PCs on which the Win95/CIH payload has triggered require the BIOS to be replaced. This is
where a rash of Win95/CIH
infections within a company can quickly become expensive.
With many PCs this involves opening the case, removing the current chip and inserting a
replacement one. Obviously the BIOS
has to match the motherboard: BIOSes tend to be designed for a range of CPUs and for
particular `chipsets' (all the other logic
circuitry needed to make your expensive CPU co-ordinate with all the other components
inside your PC).
Alternately, a BIOS chip that has been flashed by the virus is not actually damaged.
However, it requires a fairly specialized
piece of equipment to reprogram it with the correct BIOS image. This is an option for
people with the right contacts and a
backup copy of their BIOS' contents. (Admit it - you seldom backup your data often enough
and have never heard of
backing-up your BIOS!)
These first two fixes assume that your BIOS is installed in a socket. Unfortunately, it is
increasingly common (and almost
universal in laptops) that the Flash ROM chip holding your BIOS is soldered to the
motherboard. In such machines, a
motherboard replacement is effectively necessary. Although surface mount Flash ROM chips
may be able to be removed and
replaced by a suitably skilled technician, it is unlikely to be cheaper and likely to be
slower to effect this kind of repair. With
some laptops it may be more economic to buy a new machine.
Who needs to worry about this virus? If you run Windows 95 or 98 you are at risk. The
virus infects PE format executable files
(`programs'). This includes Windows NT programs, but the virus will not run and its
payload cannot trigger under NT. Should
you be running Windows 95 on a 386 or early 486 your are most likely safe - storing the
machine's BIOS in Flash ROM
became popular towards the tail end of the 486 era. Most, if not all, Pentium-based
machines will have Flash ROM.
We are still working with the chipset and motherboard designers to ascertain exactly which
combinations of chipset and Flash
ROM are susceptible to this payload. We know some Flash ROMs cannot be overwritten because
the payload uses activation
sequences known to not work with them. We hope to make more details available as we piece
things together.
What should you do in the meantime? If from the above you suspect that you may be
susceptible to this virus, please download
(or obtain through your standard means) the very latest update to your anti-virus
software, install it and scan your PC. Most
major anti-virus vendors have updates that detect this virus. The safest way to scan is
from Dos only mode using a DOS
scanner.
That is not the same as running a scanner at a DOS Prompt under Windows 9x. To be sure,
select `Restart the computer in
MS-DOS mode' from the shut down menu. If starting from power-up, press F8 when the
`Starting Windows...' message is
first displayed and select the `Command prompt only' option. Another possibility is that
your anti-virus developer may have
provided an emergency boot disk. Lastly, if using your own emergency recovery disk, ensure
it is from an appropriate version
of Windows to avoid possible FAT32 problems.
If you have NT servers or workstations, it is safe to check them with native NT scanners.
CIH cannot go resident under NT, so
cannot infect nor trigger its payload on such systems. Thus, few of the concerns that must
be considered when testing a
Windows 9x machine apply. However, note that you should not scan a network share exported
from a Windows 9x machine -
in that case, an active infection on the machine exporting the share can spread further.
In a similar vein, to check servers running
non-Win32 operating systems, either run updated scanners native to that OS, or scan them
across the network from anything
other than a Windows 9x workstation.
Should you discover an infection of CIH, it is also most important to determine, quickly
but safely, how widely the infection has
spread through your organization. Safely? Remember, this is a fast infector - the act of
opening a clean file on a machine with
an active infection will cause it to be infected, if you have write-access to the file.
It is most important to consider files on network shares very carefully when planning a
network-wide hunt. Files on attached
network shares are `seen' by CIH, not just those on local drives. Thus, you should not
scan remote drives from a Windows 9x
machine unless you are sure you are scanning from a clean environment.
So, should you be worried? In the 36 hours or so leading up to our isolating the nature of
the complete Win95/CIH payload,
colleagues at other anti-virus companies were also becoming concerned about this virus.
Not because they were aware of its
full payload, but because they were receiving samples from all around the world and were
worried about the disk-trashing due
for 26 June.
True - it is difficult to say what the chances are of the virus finding you, but it is a
fast-infector, meaning that it will quickly
spread through most possible host files on an infected PC. That neat new utility your
friend or office colleague gave you the
other day, just might have been exposed to it. Can you really be sure where it had been
before you ran it?
CIH is widespread, but probably not 'common'. Thus, the threat of exposure is low. The
BIOS flashing payload however,
means that if you are at risk of exposure the possible cost of failing to detect it and
having the payload trigger is higher than in
previous viruses.
VB has heard people shrug-off this suggestion with a response such as `New BIOSes are only
twenty pounds [thirty dollars]'.
That is true and if you are single user, the risk of exposure may mean the cost of
ignoring this virus until your next regular
anti-virus program update is bearable to you. If the Flash ROM containing your BIOS is
soldered to the board, with a typical
replacement cost of three times that you may be a little more worried. But imagine if you
have to scale that over a large
corporate IT infrastructure of several thousand PCs?
Maybe you are an `expert user' accustomed to adding and removing bits from your PC? If so,
you probably did not consider
the additional (and quite high) costs of employing suitable technical staff to effect
these replacements.
Virus Bulletin: Win95/CIH / webmaster@virusbtn.com
© 1999 Virus Bulletin Ltd.
|
