Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win95/CIH

This virus comes probably from Taiwan. It attacks files with format Portable Executable that are executable under the operating systems Windows95, Windows98 and Windows NT. The virus became wide spread after intentional infection of the pirate version of the game MechCommander, introduced by the warez group DIVINE, and of a “trainer” utility to the game Mortal Combat 4 by the group Warrior. According to unverified reports also the “trainer” utility to games Ancient Evil and Pinball Soccer 98 may be infected. The virus exploits the imperfectness of Windows and is able to overcome the barrier separating the level of common programs authorisation (RING 3) from the level of the operating system core authorisation (RING 0, the highest authorisation). At infecting files the virus utilises “empty” spots in PE header and for that reason the length of attacked file is not increased upon infection. If there is enough free space in the header the virus writes itself to it as a whole, otherwise it splits itself to smaller parts. The virus attacks files at their opening. By now three versions of the virus have been detected. They differ in texts freely seen in the attacked file:

CIH v1.2 TTIT
CIH v.1.3 TTIT
CIH v.1.4 TATUNG

The virus contains a destructive routine that is activated on the 26th day of a month. In some versions the destruction is limited only to specified months. The virus tries to modify the FLASH BIOS contents (which are present on all newer computers) and this may cause that the computer cannot be started at all. Together with modifying the FLASH BIOS the virus overwrites data on the hard disk.
The virus can be detected and removed by the program NOD32 version 1.07 and newer.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.