Block checkers

To solve the CIH Virus Dispute in his sig, see my quote from "Symantec Security Response", as well as the links I collected.

quote:
Originally posted by Symantec Security Response USA

Due to decreased submissions, Symantec Security Response has downgraded this threat level to 2 from 3 as of March 30, 2004.
The CIH virus, also known as Chernobyl, was first discovered in June 1998 in Taiwan. According to the Taipei authorities, Chen Ing-hau wrote the CIH virus. The name of the virus derived from his initials.

CIH is a destructive virus with a payload that destroys data. On April 26, 1999, the payload triggered for the first time, causing many computer users to lose their data. In Korea, it was estimated that as many as one million computers were affected, resulting in more than $250 million in damages.

Although the virus is rather old, Symantec still believes the virus is in the wild and may cause damage to computer users who use outdated virus definitions, or who do not use antivirus software.

Also Known As: Chernobyl, PE_CIH, Win95.CIH, Win32.CIH, W95/CIH.1003, CIH.Spacefiller

Type: Virus
Infection Length: Up to 1KB

Systems Affected: Windows 95, Windows 98, Windows Me
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 2000, Windows NT, Windows XP

Payload Trigger: W95.CIH V1.2 and V1.3 (April 26), W95.CIH V1.4 (26th of any month)
Payload: Destroys data and causes possible damage to CMOS

CIH is a virus that infects the 32-bit Windows 95/98/NT executable files, but can function only under Windows 95/98 and ME. It does not function under Windows NT or Windows 2000. When an infected program is run under Windows 95/98/ME, the virus becomes resident in memory. To remove the virus, do one of the following:

Recommended method: Use the Symantec Security Response CIH Removal Tool, which removes the virus from memory and prevents the need to reboot from a clean system disk.
Reboot the computer from a Rescue Disk.
Reboot the computer from the Norton AntiVirus (NAV) 2001/2002 CD, if your computer allows this option.

If this is not done, the virus will infect every file scanned with Norton AntiVirus or with any antivirus program.

Although Windows NT system files can be infected, the virus cannot become resident or infect files on a computer running Windows NT or Windows 2000. The virus does not function under DOS, Windows 3.1, or on Macintosh computers. Once the virus is resident, the CIH virus infects other files when accessed.

The files infected by CIH may have the same size as the original files, due to the unique infection mode of CIH. The virus searches for empty, unused spaces in the file. Next, it breaks itself up into smaller pieces and inserts its code into these unused spaces. When NAV repairs a file infected by CIH, it looks for these small viral pieces and removes them from the file.

As of April, 1999, three known, similar variants of this virus exist. CIH versions 1.2 and 1.3 have a payload that will trigger on April 26, commemorating Chernobyl, the Soviet nuclear disaster, which occurred on April 26, 1986. CIH version 1.4 has a payload that will trigger on the 26th of any month. The payloads of all the versions of CIH are the same.

The first payload overwrites the hard disk with random data, starting at the beginning of the disk (sector 0) using an infinite loop. The overwriting of the sectors does not stop until the system has crashed. As a result, the computer will not boot from the hard disk or floppy disk. Also, the data that has been overwritten on the hard disk will be very difficult or impossible to recover. You must restore the data from backups.

The second payload tries to cause permanent damage to the computer. This payload attacks the Flash BIOS (a part of your computer that initializes and manages the relationships and data flow between the system devices, including the hard drive, serial and parallel ports, and the keyboard) and tries to corrupt the data stored there. As a result, nothing may be displayed when you start the computer. A computer technician would need to fix this.

Shoutbox

login | register | shoutbox