[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Warning: New Virus (Win95.CIH) - Potentially Damages BIOS
From:       mea culpa <jericho () dimensional ! com>
Date:       1998-07-22 19:05:41
[Download RAW message or body]


June 27, 1998

Renee Barnhardt
Central Command Inc.
330-273-2820
renee@avp.com

Central Command Warns Windows 95 and Windows 98 Users of New Virus
Epidemic

Central Command, the US Distributor of AntiViral Toolkit Pro is warning
all current Windows 95 and Windows 98 users of a new fast spreading
computer virus named Win95.CIH.  This new advanced viruses has been
reported to have infected computers world wide and appears to be
undetectable by most antivirus products. 

The virus first appeared in Taiwan in the beginning of June and carries a
particularity lethal payload. It can overwrite the system start up
programs required to start the computer and erase the BIOS thus rendering
the data destroyed and the PC helpless. 

Eugene Kaspersky, chief virus researcher behind AntiViral Toolkit Pro
stated that "most antivirus developers will have to re-engineer there
applications to effectively detect and remove this virus, similar to what
first happened when the first Microsoft Word virus "Concept" appeared back
in 1995. 

Virus Description

This is a Windows 95 specific parasitic PE files (Portable Executable) 
infector about 1Kbyte of length.  This virus was found "in-the-wild" in
Taiwan in June 1998 - it was posted by the virus author to a local
Internet conference as a utility.  Within a week the virus was found in
Austria, Australia, Israel, United Kingdom, and was also reported from
several other countries (Switzerland, Sweden, USA, Russia and the list
keeps growing).  The virus installs itself into the Windows memory, hooks
file access calls and infects EXE files that are opened.  Depending on the
system date (see below) the virus runs its trigger routine.  The virus has
some bugs and in some cases halts the computer when a infected application
is run. The virus' trigger routine operates with Flash BIOS ports and
tries to overwrite Flash memory with "garbage".  This is possible only if
motherboard and chipset allows writing to Flash memory.  Usually writing
to Flash memory can be disabled by a DIP switch, however this depends on
the motherboard design.  Unfortunately, there are modern motherboard that
cannot be protected by a DIP switch - some of them ignore the switch
position and this protection has no effect at all, for other hardware,
write protection can be disabled/overridden by software.  During tests in
our lab the virus did not overwrite Flash BIOS and just halted the
computer.  We do however have reports from other sources telling that the
virus really is able to damage Flash memory.  The trigger routine then
overwrites data on all installed hard drives.  The virus uses direct disk
write calls and bypasses standard BIOS virus protection while overwriting
the MBR and boot sectors.  There are three virus versions known, which are
very closely related and only differ in few parts of their code.  They
have different lengths, texts inside the virus code and trigger date: 
Length Text Trigger date Found In-The-Wild

1003    CCIH 1.2 TTIT     Activates on April 26th
1010    CCIH 1.3 TTIT     Activates on April 26th
1019    CCIH 1.4 TATUNG   Activates on 26th of any month

Technical details

While infecting a file the virus looks for "caves" in the file body. 
These caves are from the PE file structure:  all file sections are aligned
by a value that is defined in PE file header, and there are unused blocks
of file data between the end of previous section and next one.  The virus
looks for these caves and writes its code into them.  The virus then
increases the size of sections by the necessary values.  As a result the
file length is not increased while infecting.  If there is a cave of
enough size, the virus saves its code in one section.  Otherwise it splits
it's code into several parts and saves them to the end of several
sections.  The virus code may be found as a set of pieces, not as a single
block in infected files.  The virus also looks for a cave in the PE
header.  If there is a not used block not less than 184 bytes of length,
the virus writes its startup routine to there.  The virus then patches the
entry address in the PE header with a value that points to the startup
routine placed in the header.  This is the same trick that was used in the
"Win95.Murkry" virus address of program entry points not to some file
section, but to file header - out of load able file data.  Despite this,
infected programs are run with no problems. Windows does not pay attention
for such "strange" files, loads the file header into the memory, then file
sections, then passes control to the virus startup routine in PE header. 

When the virus startup routine takes control, it allocates a block of
memory by using PageAllocate VMM call, copies itself to there, locates
other blocks of virus code and also copies then to allocated block of
memory.  The virus then hooks system IFS API and returns control to the
host program.  The most interesting thing in this part of the virus code
is that the virus uses quite complex tricks to jump from Ring3 to Ring0: 
when the virus jumps to newly allocated memory its code is then executed
as Ring0 routine, and the virus is able to hook the file system calls (it
is not possible in Ring3, where all users applications are run). 

The IFS API virus handler intercepts only one function - file opening. 
When PE .EXE files are opened, the virus infects them, provided there are
caves of enough size.  After infection, the virus checks the file date and
calls trigger routine (see above).  While running its trigger routine the
virus uses direct access to Flash BIOS ports and VxD direct disk access
calls (IOS_SendCommand). 

Central Command has made free evaluations of AntiViral Toolkit Pro
available for download from their web site at http://www.avp.com. 

Central Command's Emergency Virus Response Team (EVRT) can provide on-site
support within 48 hours anywhere in the continental US. This specialized
team can provide around the clock support for virus emergencies and rapid
response to new outbreaks.  With free weekly updates for new viruses,
advanced technology, and support, AntiViral Toolkit Pro is poised to
protect consumers with Military grade virus protection. 

About Central Command:  Central Command Inc. is a privately held
international company headquarters in Brunswick, Ohio, USA.  Founded in
1990, the company specialized in antivirus protection products and focuses
on serving the industrial market place, government, financial, educational
institutions, and service industries. 

For more information about Central Command Inc. visit our web site at
http://www.avp.com or contact Renee Barnhardt at renee@avp.com or (330) 
273-2820. 


-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

[prev in list] [next in list] [prev in thread] [next in thread]