by Beverly Rosenbaum
A new W95.CIH or “Spacefiller” virus with a dual payload has been reported. This virus can first overwrite the BIOS start-up mechanism, making a computer unbootable until the chip is replaced. No previous virus has ever been able to damage a hardware component. A second attack destroys data on the hard disk of the machine by infecting all 32-bit Windows 95/98 PE (portable executable) files with an .EXE extension.
When an infected program is run, the virus becomes memory resident and infects new files as they are opened. This means that an infected system must be rebooted from a clean system disk before scanning with any anti-virus product, or the virus will infect every file that the anti-virus product scans.
Window NT files cannot become infected by W95.CIH due to the virus’s use of a VXD programming technique when it becomes resident in memory. Currently, the VXD technique is only available within Windows 95 and 98. So it is impossible for the virus to replicate or destroy data within the Windows NT environment. “Spacefiller” also does not infect Macintosh or Windows 3.x executable files.
According to a report from Datafellows, makers of F-PROT anti-virus software, the CIH virus was first located in Taiwan in early June. Within one week, it was world-wide, confirmed to be in the wild in France, Germany, The Netherlands, Sweden, China, Israel, Chile and Australia. It was spread quickly through the distribution of pirated game software.
Originally the destructive payload was expected to activate either on April 26th or June 26th, while another variant could activate on the 26th of every month.
While researchers from Symantec and IBM Watson Research Center believe that most computers will not be susceptible to this attack, practically every maker of anti-virus software has posted a warning and updated signature files to remove this virus.
The W95.CIH virus ranked fifth and accounted for 5.5% of all viruses reported in July 1998. The rest of the top ten viruses reported were 6 macro viruses and 3 boot sector viruses.
This virus will attempt to modify or corrupt certain types of Flash BIOS chipsets on some machines from 486 through Pentium II. The BIOS initializes and manages the relationships and data flow between system devices, including the hard drive, serial and parallel ports and the keyboard. By overwriting part of the BIOS program, the virus can keep a computer from starting up when the power is turned on. Some computers have a jumper on the motherboard which acts as hardware write protection, while other machines have a DIP switch which allows the flashing BIOS to be disabled. If the flash-BIOS is write-enabled (and most modern computers have a writable flash-BIOS) and the payload does execute, the PC will no longer boot unless the BIOS is restored or replaced. Any hardware damage caused by the virus is not covered under manufacturers’ warranties. At the same time, the disk partition information is destroyed.
While McAfee Labs has been unable to produce either payload in a controlled setting, the virus was found on computers in several campus labs at the University of Texas at Austin.
In July, UT personnel triggered the Win 32/CIH in a test using a Windows 95 system. After the computer’s date rolled over to July 26, all disk partitioning information was lost, leaving the system unbootable and the data unrecoverable.
No known tools are available to help save lost work.
The virus is thought to be able to overwrite or delete the information on the hard drive by using direct disk-writes calls, bypassing standard BIOS virus protection, while overwriting the Master Boot Record and boot sectors. Infected files will be the same size as the original files, because the virus is able to break itself up into smaller pieces and infect the files by hiding in unused spaces within them.
What can you do? If you are not using a virus-protection package, you should acquire one as soon as possible. In the meantime, you should change your date or shut your system down on the 25th of each month and not use it again until the 27th. This can potentially be a very devastating virus and ALL precautions should be taken to avoid it. You should NOT turn on an untested machine any time during the 26th of any month.
E-mail Bug
By August, Microsoft and Netscape were both scrambling to calm e-mail users after researchers in Finland found a bug that could potentially give hackers access to entire computer systems.
While no attacks had been reported, the companies urged their e-mail software customers to download patches to correct the problem. The affected systems included Netscape’s Communicator 4.0 and above, including the new 4.5 beta software, as well as Microsoft’s Outlook Express and Outlook 98 upgrade. According to officials from both companies, the problem is with files attached to the e-mails. If the file names for those attachments contain more than 200 letters or characters, opening the file in Outlook or accessing the File menu in Communicator could have disastrous results. Embedded commands placed within the absurdly long file name by hackers could erase or destroy entire files, or even collect passwords or other information and send the data back to the hacker. The attacks cannot be guarded against with fire walls or antiviral software, the two most widely used security methods. The only way to avoid a problem is to delete any suspicious attachments without opening them.
Marburg
The Marburg virus got widespread circulation when it was included by accident on the cover CD of the UK-based PC Gamer Magazine’s July 1998 edition. The infected files are on “CD Gamer 2” included with the magazine, and are called \UTILS\XEARTH\XEARTH.EXE,\UTILS\QPAINT\QPAINT.EXE, and
\VIDEO\SMACKPLW.EXE. The SMACKPLW program is automatically executed if you watch any of the preview videos from the CD.
Marburg is a polymorphic Windows 95/98 virus which infects Win32 .EXE and .SCR (screen saver) files. The polymorphic engine of the virus is advanced, and it can delete the integrity databases of several anti-virus products. It also avoids infecting many known anti-virus product executable files, including any executable which has the letter “V” in its name. This is done to avoid triggering the self-check of these programs.
Marburg activates three months after initial infection. If an infected application is executed exactly on the same hour as the initial infection, the virus displays the standard Windows error icon (red cross in white circle) in random positions all over the screen.
Beverly Rosenbaum is a HAL-PC member who can be contacted at brosen@hal-pc.org.
E-mail me at webmaster@hal-pc.org with any comments you have and tell me what you want to see here.