A new variant of the CIH virus!

A new variant of the CIH virus that plagued the computer world and destroyed much computers and data on 26th of April 1999 is here again and it is going to activate on 26th of this month!! The virus has already spread far. As one of the popular Bangladeshi computer magazine "Computer Tomorrow" March Edition CD also contained the virus a lot of people are infected without knowing.

Only the latest version of Mcafee Virus Scan and PC Cillin can detect and remove the virus. Earlier version cannot detect it. So you maybe infected without knowing it. So it is advised to update your anti virus software
immediately. The latest Mcafee Antivirus version 4.073 and PC Cillin can remove the virus. If you are already a Mcafee user you can update your detection DAT files to 4073. You can obtain this update from Mcafee website
download.mcafee.com. The size of the file is 3.8MB (SDAT4073.exe). If this file is too big for you, you can download a smaller update which will add detection/removal functionality to your existing Mcafee Antivirus from our web site www.amtltd.net . The size of this file is only 1.36 KB and will take less than 2 seconds to download. Instructions for using this file is included in the website. PC Cillin users need pattern file 518 and scan
engine 2.062 of PC Cillin 6 to detect and remove the virus. This update can be found from the PC Cillin web site. So far Norton Antivirus cannot clean the virus.

The virus will activate on 26th of this month and will destroy data on hard disk and corrupt FLASH BIOS. After infection Windows shows protection error quite often and the system becomes slow. If you have Mcafee Antivirus (earlier versions) running and it does run showing "Validation Error" you are already infected. But if Mcafee VirusScan still runs then you are probably safe but should still update to the latest version just in case and scan for virus.

If you have any problem feel free to contact us. If you are infected and unable to clean the virus, we will clean it for you for free if you come to our office.

You are welcome to circulate this information to anyone who you think will benefit from it. If you need any information or assistance, please get in touch with [email protected] or [email protected]

Additional information about the virus are furnished below:

Sincerely,

Md. Ashraful Anam
Webmaster
AMT Ltd.
2/9, Block-F,
Lalmatia, Dhaka
Phone: 880-2-8116722
E-Mail: [email protected]
Web: www.amtltd.net

Virus Name: CIH, Chernobyl, Win95.CIH, Win32.CIH, W95.CIH V1.2, W95.CIH V1.3, W95.CIH V1.4, SPACEFILLER

Virus type: File Infector
Destructive: Yes

Description:
On April 26th, PE_CIH will once again activate and may cause damage to many computers. At this point we can only hope that people have upgraded to an up-to-date Antivirus software package that detects and cleans PE_CIH before it can activate. When PE_CIH activated in 1999 it caused damage to several hundred thousand systems, leaving many users with an unbootable computer. PE_CIH contains two destructive payloads, which will both trigger on April 26th. Once triggered, it attempts to overwrite the system's hard disk with some random data, and that makes data recovery very difficult. It also tries to do some permanent damage to the system by corrupting data stored in the Flash BIOS. Once it re-formats the hard drive it displays a text message. It
does not infect Windows NT systems.

Technical Description
In the wild: Yes
Trigger date 1: 26th
Trigger condition 1: Day = 26th
Payload 1: Corrupt Hard Disk
Language: English
Platform: Windows 95/98
Encrypted: No
Size of virus: 1 KByte

Details:
The CIH virus infects .EXE files in Windows 95/98. It becomes memory resident once a file (which is infected by it) is executed. When the virus infects files, it looks for spaces in the target file and appends itself to
those unused spaces, so that the size increase of infected files is hardly noticeable.

It also hooks the IFS (Installable File System), which gives it the ability

to infect any PE (Portable Executable, e.g., .EXE) type files. Windows NT files, however, are not subject to infection (by PE_CIHV1.2) due to the use of a VXD programming technique (used when it becomes memory resident): this technique is available in Windows 95/98 only. Therefore, Windows NT systems are safe from the Chernobyl infection.

This file infector has a couple of destructive payloads that are triggered on the 26th day of a month. On the trigger day, it attempts to overwrite the system's hard disk with some random data, and that makes data recovery very difficult. It also tries to do some permanent damage to the system by corrupting data stored in the Flash BIOS.

One the hard drive has been reformatted (by PE_CIHV1.2), the following message is displayed when the system is rebooted: DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER

And if you boot the system from A: drive and try to change to C: drive for there, another message is displayed:
"Invalid drive specification" since the hard disk has already been overwritten with some random data."

[ Back to Advertise ] [ Place an Ad ] [ Back to Main ]

[ SHOW ME BOYS NOW ] [ SHOW ME GIRLS NOW ] [ SIGNUP ] [ PLACE ADVERTISE ] [ BROWSE ADVERTISE ]

[ FEEDBACK ] [ SUPPORT ] [ WEB BOARD ] [ GUEST BOOK ] [ EMAIL US ]

(c) IT-Influx Inc.