SIGHTINGS


 
Devastating Win95/CIH
Virus Set To Hit
PCs On July 26
By Luke Reiter and Jim Louderback - ZDTV News
7-23-98
 
 
On July 26, the devastating Win95/CIH Virus is programmed to strike. And experts say its payload is unprecedented - if you're infected, your computer may simply stop working.
 
That loss can be devastating, but if the virus stopped at overwriting your BIOS, at least your computer would still work - if you had DOS or another operating system on a floppy disk. Of course, it doesn't stop there.
 
THE VIRUS WAS FIRST identified by Virus Bulletin, a premier research laboratory in Great Britain that publishes a subscription newsletter about viruses. According to Nick FitzGerald, the Bulletin's editor, the virus goes beyond the traditional disk-trashing mayhem of other rogue programs.
 
 
Computers based on Intel-compatible processors use a Basic Input Output System (BIOS) to provide a cold start-up. The BIOS is software that initializes and manages the relationships and data flow between the system devices, including hard drive, serial and parallel ports, and the keyboard; it sits between those hardware devices and the operating system and applications.
 
 
Most desktop, server, and notebook computers built in the last few years store their BIOS on a flash ROM chip. These flash chips are rewritable, which allows users and manufacturers to upgrade the BIOS with new capabilities, or to fix bugs.
 
 
For the first time ever, the CIH Virus attacks the software code stored in those flash BIOS chips. The virus overwrites part of the BIOS code that's stored in some flash ROM chips. In fact, it overwrites the part of the BIOS program that runs first when the system is powered up or reset. As a result, the virus can render your computer unbootable - it just won't start up at all when you turn on the power.
 
BLAST FROM THE PAST?
 
 
It's not just deja vu all over again. The virus may be breaking new ground, but it still has a sense of history. Like other nasty viruses of old, it also overwrites the first megabyte of your hard drive, obliterating your files. That loss can be devastating, but if the virus stopped there, at least your computer would still work - if you had DOS or another operating system on a floppy disk.
 
 
Of course, it doesn't stop there. According to the Virus Bulletin, CIH can be downloaded from "warez" sites on the Internet. Those are the underground or "hacker" sites that store programs, including some that claim to be hacking tools or that provide additional utilities for games. The virus is known to have been downloaded from at least one "warez" site in Europe. In one case, it was even disguised as a Windows 98 service pack.
 
 
The connection to Windows 98 is not a coincidence. The CIH Virus can reportedly affect any system running Windows 95 or 98. That possibility has caused tremendous concern among researchers.
 
 
But while concern is warranted, there is no need to panic about the dangers of CIH. The virus is not yet widespread, and not every kind of flash ROM chip can be overwritten. Some are simply not affected by the payload's activation sequences.
 
 
The problem, however, is that it can be almost impossible to know whether your computer has the kind of flash ROM chip that is vulnerable to attack. There are approximately 15 to 30 chips that are commonly used in current systems.
 
 
Luckily, many motherboards, including those built by Intel and sold to a variety of top computer manufacturers in the United States, come with the flash BIOS protected against attacks like this. These motherboards have a jumper set that write-protects the flash chip, much like a diskette, cassette, or VHS tape can be write-protected.
 
 
However, even if the virus can't overwrite the BIOS, it will still delete data stored on hard drives. That puts every Windows 95- and 98-based machine at risk when the virus is triggered.
 
BEWARE THE 26TH
 
Watch out for all four flavors of the CIH virus. At present, all four known versions of the CIH Virus are connected to the date of the 26th. The first two are programmed to trigger on the 26th of April. The third takes action on the 26th of June. And the fourth, and least common, drops its payload on the 26th of every month.
 
 
That's this Sunday. And if you're one of the unlucky ones who get infected, the damage can be extreme - and expensive. "PCs on which the Win95/CIH payload has triggered (completely) require the BIOS to be replaced," FitzGerald said. "This is where a rash of infections within a company can quickly become expensive."
 
 
In some cases, the BIOS can be replaced by removing the current chip and inserting a new one. But such a remedy would require the BIOS to be installed in a socket.
 
 
In most cases, the Flash ROM chip is soldered to the motherboard of the computer. In that event, the entire motherboard will have to be replaced. "With some laptops, it may be more economic to buy a new machine," FitzGerald said.
 
 
Such potential harm makes it prudent to take protective action right away. ZDTV's editorial director, Jim Louderback, is on the case, and he's got some great answers on how to eliminate the threat of CIH.
 
 
And while that threat may be slight, it's undoubtedly increasing. So far, the virus has been identified in Australia, Chile, France, Germany, Japan, Korea, Norway, Romania, Russia, South Africa, and Taiwan, where it may have been written.
 
 
And at least for the next few months, as the 26th of each new month arrives, the number of CIH victims seems destined to rise.
 
 
Discuss the CIH virus
 
 
Guarding against CIH Using Symantec to combat CIH The Bug of the Day Archive
 
CyberCrime from ZDTV News
 
Safe Computing Forum Symantec AntiVirus Research Center
That loss can be devastating, but if the virus stopped at overwriting your BIOS, at least your computer would still work - if you had DOS or another operating system on a floppy disk. Of course, it doesn't stop there.
 
THE VIRUS WAS FIRST identified by Virus Bulletin, a premier research laboratory in Great Britain that publishes a subscription newsletter about viruses. According to Nick FitzGerald, the Bulletin's editor, the virus goes beyond the traditional disk-trashing mayhem of other rogue programs. Computers based on Intel-compatible processors use a Basic Input Output System (BIOS) to provide a cold start-up. The BIOS is software that initializes and manages the relationships and data flow between the system devices, including hard drive, serial and parallel ports, and the keyboard; it sits between those hardware devices and the operating system and applications. Most desktop, server, and notebook computers built in the last few years store their BIOS on a flash ROM chip. These flash chips are rewritable, which allows users and manufacturers to upgrade the BIOS with new capabilities, or to fix bugs. For the first time ever, the CIH Virus attacks the software code stored in those flash BIOS chips. The virus overwrites part of the BIOS code that's stored in some flash ROM chips. In fact, it overwrites the part of the BIOS program that runs first when the system is powered up or reset. As a result, the virus can render your computer unbootable - it just won't start up at all when you turn on the power.
 
BLAST FROM THE PAST? It's not just deja vu all over again. The virus may be breaking new ground, but it still has a sense of history. Like other nasty viruses of old, it also overwrites the first megabyte of your hard drive, obliterating your files. That loss can be devastating, but if the virus stopped there, at least your computer would still work - if you had DOS or another operating system on a floppy disk. Of course, it doesn't stop there. According to the Virus Bulletin, CIH can be downloaded from "warez" sites on the Internet. Those are the underground or "hacker" sites that store programs, including some that claim to be hacking tools or that provide additional utilities for games. The virus is known to have been downloaded from at least one "warez" site in Europe. In one case, it was even disguised as a Windows 98 service pack. The connection to Windows 98 is not a coincidence. The CIH Virus can reportedly affect any system running Windows 95 or 98. That possibility has caused tremendous concern among researchers. But while concern is warranted, there is no need to panic about the dangers of CIH. The virus is not yet widespread, and not every kind of flash ROM chip can be overwritten. Some are simply not affected by the payload's activation sequences. The problem, however, is that it can be almost impossible to know whether your computer has the kind of flash ROM chip that is vulnerable to attack. There are approximately 15 to 30 chips that are commonly used in current systems. Luckily, many motherboards, including those built by Intel and sold to a variety of top computer manufacturers in the United States, come with the flash BIOS protected against attacks like this. These motherboards have a jumper set that write-protects the flash chip, much like a diskette, cassette, or VHS tape can be write-protected. However, even if the virus can't overwrite the BIOS, it will still delete data stored on hard drives. That puts every Windows 95- and 98-based machine at risk when the virus is triggered.
 
BEWARE THE 26TH Watch out for all four flavors of the CIH virus. At present, all four known versions of the CIH Virus are connected to the date of the 26th. The first two are programmed to trigger on the 26th of April. The third takes action on the 26th of June. And the fourth, and least common, drops its payload on the 26th of every month. That's this Sunday. And if you're one of the unlucky ones who get infected, the damage can be extreme - and expensive. "PCs on which the Win95/CIH payload has triggered (completely) require the BIOS to be replaced," FitzGerald said. "This is where a rash of infections within a company can quickly become expensive." In some cases, the BIOS can be replaced by removing the current chip and inserting a new one. But such a remedy would require the BIOS to be installed in a socket. In most cases, the Flash ROM chip is soldered to the motherboard of the computer. In that event, the entire motherboard will have to be replaced. "With some laptops, it may be more economic to buy a new machine," FitzGerald said. Such potential harm makes it prudent to take protective action right away. ZDTV's editorial director, Jim Louderback, is on the case, and he's got some great answers on how to eliminate the threat of CIH. And while that threat may be slight, it's undoubtedly increasing. So far, the virus has been identified in Australia, Chile, France, Germany, Japan, Korea, Norway, Romania, Russia, South Africa, and Taiwan, where it may have been written. And at least for the next few months, as the 26th of each new month arrives, the number of CIH victims seems destined to rise.
 



Sightings HomePage