June 27, 1998 Renee Barnhardt Central Command Inc. 330-273-2820 reneet_private Central Command Warns Windows 95 and Windows 98 Users of New Virus Epidemic Central Command, the US Distributor of AntiViral Toolkit Pro is warning all current Windows 95 and Windows 98 users of a new fast spreading computer virus named Win95.CIH. This new advanced viruses has been reported to have infected computers world wide and appears to be undetectable by most antivirus products. The virus first appeared in Taiwan in the beginning of June and carries a particularity lethal payload. It can overwrite the system start up programs required to start the computer and erase the BIOS thus rendering the data destroyed and the PC helpless. Eugene Kaspersky, chief virus researcher behind AntiViral Toolkit Pro stated that "most antivirus developers will have to re-engineer there applications to effectively detect and remove this virus, similar to what first happened when the first Microsoft Word virus "Concept" appeared back in 1995. Virus Description This is a Windows 95 specific parasitic PE files (Portable Executable) infector about 1Kbyte of length. This virus was found "in-the-wild" in Taiwan in June 1998 - it was posted by the virus author to a local Internet conference as a utility. Within a week the virus was found in Austria, Australia, Israel, United Kingdom, and was also reported from several other countries (Switzerland, Sweden, USA, Russia and the list keeps growing). The virus installs itself into the Windows memory, hooks file access calls and infects EXE files that are opened. Depending on the system date (see below) the virus runs its trigger routine. The virus has some bugs and in some cases halts the computer when a infected application is run. The virus' trigger routine operates with Flash BIOS ports and tries to overwrite Flash memory with "garbage". This is possible only if motherboard and chipset allows writing to Flash memory. Usually writing to Flash memory can be disabled by a DIP switch, however this depends on the motherboard design. Unfortunately, there are modern motherboard that cannot be protected by a DIP switch - some of them ignore the switch position and this protection has no effect at all, for other hardware, write protection can be disabled/overridden by software. During tests in our lab the virus did not overwrite Flash BIOS and just halted the computer. We do however have reports from other sources telling that the virus really is able to damage Flash memory. The trigger routine then overwrites data on all installed hard drives. The virus uses direct disk write calls and bypasses standard BIOS virus protection while overwriting the MBR and boot sectors. There are three virus versions known, which are very closely related and only differ in few parts of their code. They have different lengths, texts inside the virus code and trigger date: Length Text Trigger date Found In-The-Wild 1003 CCIH 1.2 TTIT Activates on April 26th 1010 CCIH 1.3 TTIT Activates on April 26th 1019 CCIH 1.4 TATUNG Activates on 26th of any month Technical details While infecting a file the virus looks for "caves" in the file body. These caves are from the PE file structure: all file sections are aligned by a value that is defined in PE file header, and there are unused blocks of file data between the end of previous section and next one. The virus looks for these caves and writes its code into them. The virus then increases the size of sections by the necessary values. As a result the file length is not increased while infecting. If there is a cave of enough size, the virus saves its code in one section. Otherwise it splits it's code into several parts and saves them to the end of several sections. The virus code may be found as a set of pieces, not as a single block in infected files. The virus also looks for a cave in the PE header. If there is a not used block not less than 184 bytes of length, the virus writes its startup routine to there. The virus then patches the entry address in the PE header with a value that points to the startup routine placed in the header. This is the same trick that was used in the "Win95.Murkry" virus address of program entry points not to some file section, but to file header - out of load able file data. Despite this, infected programs are run with no problems. Windows does not pay attention for such "strange" files, loads the file header into the memory, then file sections, then passes control to the virus startup routine in PE header. When the virus startup routine takes control, it allocates a block of memory by using PageAllocate VMM call, copies itself to there, locates other blocks of virus code and also copies then to allocated block of memory. The virus then hooks system IFS API and returns control to the host program. The most interesting thing in this part of the virus code is that the virus uses quite complex tricks to jump from Ring3 to Ring0: when the virus jumps to newly allocated memory its code is then executed as Ring0 routine, and the virus is able to hook the file system calls (it is not possible in Ring3, where all users applications are run). The IFS API virus handler intercepts only one function - file opening. When PE .EXE files are opened, the virus infects them, provided there are caves of enough size. After infection, the virus checks the file date and calls trigger routine (see above). While running its trigger routine the virus uses direct access to Flash BIOS ports and VxD direct disk access calls (IOS_SendCommand). Central Command has made free evaluations of AntiViral Toolkit Pro available for download from their web site at http://www.avp.com. Central Command's Emergency Virus Response Team (EVRT) can provide on-site support within 48 hours anywhere in the continental US. This specialized team can provide around the clock support for virus emergencies and rapid response to new outbreaks. With free weekly updates for new viruses, advanced technology, and support, AntiViral Toolkit Pro is poised to protect consumers with Military grade virus protection. About Central Command: Central Command Inc. is a privately held international company headquarters in Brunswick, Ohio, USA. Founded in 1990, the company specialized in antivirus protection products and focuses on serving the industrial market place, government, financial, educational institutions, and service industries. For more information about Central Command Inc. visit our web site at http://www.avp.com or contact Renee Barnhardt at reneet_private or (330) 273-2820. -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:29 PDT