[ISN] Warning: New Virus (Win95.CIH) - Potentially Damages BIOS

From: mea culpa (jerichot_private)
Date: Wed Jul 22 1998 - 12:05:41 PDT

  • Next message: mea culpa: "[ISN] "We Control Your TVs""

    June 27, 1998
    Renee Barnhardt
    Central Command Inc.
    Central Command Warns Windows 95 and Windows 98 Users of New Virus
    Central Command, the US Distributor of AntiViral Toolkit Pro is warning
    all current Windows 95 and Windows 98 users of a new fast spreading
    computer virus named Win95.CIH.  This new advanced viruses has been
    reported to have infected computers world wide and appears to be
    undetectable by most antivirus products. 
    The virus first appeared in Taiwan in the beginning of June and carries a
    particularity lethal payload. It can overwrite the system start up
    programs required to start the computer and erase the BIOS thus rendering
    the data destroyed and the PC helpless. 
    Eugene Kaspersky, chief virus researcher behind AntiViral Toolkit Pro
    stated that "most antivirus developers will have to re-engineer there
    applications to effectively detect and remove this virus, similar to what
    first happened when the first Microsoft Word virus "Concept" appeared back
    in 1995. 
    Virus Description
    This is a Windows 95 specific parasitic PE files (Portable Executable) 
    infector about 1Kbyte of length.  This virus was found "in-the-wild" in
    Taiwan in June 1998 - it was posted by the virus author to a local
    Internet conference as a utility.  Within a week the virus was found in
    Austria, Australia, Israel, United Kingdom, and was also reported from
    several other countries (Switzerland, Sweden, USA, Russia and the list
    keeps growing).  The virus installs itself into the Windows memory, hooks
    file access calls and infects EXE files that are opened.  Depending on the
    system date (see below) the virus runs its trigger routine.  The virus has
    some bugs and in some cases halts the computer when a infected application
    is run. The virus' trigger routine operates with Flash BIOS ports and
    tries to overwrite Flash memory with "garbage".  This is possible only if
    motherboard and chipset allows writing to Flash memory.  Usually writing
    to Flash memory can be disabled by a DIP switch, however this depends on
    the motherboard design.  Unfortunately, there are modern motherboard that
    cannot be protected by a DIP switch - some of them ignore the switch
    position and this protection has no effect at all, for other hardware,
    write protection can be disabled/overridden by software.  During tests in
    our lab the virus did not overwrite Flash BIOS and just halted the
    computer.  We do however have reports from other sources telling that the
    virus really is able to damage Flash memory.  The trigger routine then
    overwrites data on all installed hard drives.  The virus uses direct disk
    write calls and bypasses standard BIOS virus protection while overwriting
    the MBR and boot sectors.  There are three virus versions known, which are
    very closely related and only differ in few parts of their code.  They
    have different lengths, texts inside the virus code and trigger date: 
    Length Text Trigger date Found In-The-Wild
    1003    CCIH 1.2 TTIT     Activates on April 26th
    1010    CCIH 1.3 TTIT     Activates on April 26th
    1019    CCIH 1.4 TATUNG   Activates on 26th of any month
    Technical details
    While infecting a file the virus looks for "caves" in the file body. 
    These caves are from the PE file structure:  all file sections are aligned
    by a value that is defined in PE file header, and there are unused blocks
    of file data between the end of previous section and next one.  The virus
    looks for these caves and writes its code into them.  The virus then
    increases the size of sections by the necessary values.  As a result the
    file length is not increased while infecting.  If there is a cave of
    enough size, the virus saves its code in one section.  Otherwise it splits
    it's code into several parts and saves them to the end of several
    sections.  The virus code may be found as a set of pieces, not as a single
    block in infected files.  The virus also looks for a cave in the PE
    header.  If there is a not used block not less than 184 bytes of length,
    the virus writes its startup routine to there.  The virus then patches the
    entry address in the PE header with a value that points to the startup
    routine placed in the header.  This is the same trick that was used in the
    "Win95.Murkry" virus address of program entry points not to some file
    section, but to file header - out of load able file data.  Despite this,
    infected programs are run with no problems. Windows does not pay attention
    for such "strange" files, loads the file header into the memory, then file
    sections, then passes control to the virus startup routine in PE header. 
    When the virus startup routine takes control, it allocates a block of
    memory by using PageAllocate VMM call, copies itself to there, locates
    other blocks of virus code and also copies then to allocated block of
    memory.  The virus then hooks system IFS API and returns control to the
    host program.  The most interesting thing in this part of the virus code
    is that the virus uses quite complex tricks to jump from Ring3 to Ring0: 
    when the virus jumps to newly allocated memory its code is then executed
    as Ring0 routine, and the virus is able to hook the file system calls (it
    is not possible in Ring3, where all users applications are run). 
    The IFS API virus handler intercepts only one function - file opening. 
    When PE .EXE files are opened, the virus infects them, provided there are
    caves of enough size.  After infection, the virus checks the file date and
    calls trigger routine (see above).  While running its trigger routine the
    virus uses direct access to Flash BIOS ports and VxD direct disk access
    calls (IOS_SendCommand). 
    Central Command has made free evaluations of AntiViral Toolkit Pro
    available for download from their web site at http://www.avp.com. 
    Central Command's Emergency Virus Response Team (EVRT) can provide on-site
    support within 48 hours anywhere in the continental US. This specialized
    team can provide around the clock support for virus emergencies and rapid
    response to new outbreaks.  With free weekly updates for new viruses,
    advanced technology, and support, AntiViral Toolkit Pro is poised to
    protect consumers with Military grade virus protection. 
    About Central Command:  Central Command Inc. is a privately held
    international company headquarters in Brunswick, Ohio, USA.  Founded in
    1990, the company specialized in antivirus protection products and focuses
    on serving the industrial market place, government, financial, educational
    institutions, and service industries. 
    For more information about Central Command Inc. visit our web site at
    http://www.avp.com or contact Renee Barnhardt at reneet_private or (330) 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:29 PDT