CIH virus
Is
your computer attacked by CIH (Chernobyl) virus? Report it to
us now.
 Information
about the CIH virus:
Win95.CIH (Also known as CIH, Spacefiller, Win32.CIH) is a new virus
that infects 32-bit Windows 95, Windows 98 and Windows NT executables files
having the .EXE extension. When an infected program is run in a Windows
95 or Windows 98 computer, it infects the computer and becomes memory resident.
The infected program will not work properly on a Windows NT computer. Once
the virus becomes memory resident, it infects all the 32-bit EXE files
opened. So the virus spreads to all files executed and also copied. The
size of the virus code is quite small and it is about 1000 bytes. The virus
will not increase the size of the infected file. It uses an unique method
to copy its code to the infected file. It fills up the unused space available
in the 32-bit EXE file (PE format) with its code. If the virus can not
find a single continuous large enough empty space to copy itself, it will
slice itself up to many pieces and place them in the smaller empty slots.
This virus is also known as Win95.Spacefiller for this behaviour. The virus
alters the header entry point to the beginning of the virus code and builds
the broken up parts to one piece of code when the EXE file is run. The
virus code contains the text "CIH", so it gets this name.
Win95.CIH virus has a dangerous payload that will trigger on the 26th
of April or any month, depending upon the variant of the virus strain.
This virus can damage the contents of the BIOS flash memory chip. Most
of the new computers sold (80486 and later CPUs) have their BIOS programmed
into the flash memory chips. Win95.CIH writes garbage to the flash memory
chip if the chip is write-enabled. Many PC manufacturers leave the flash
memory chip write-enabled. If this happens the computer will become unusable
until the contents of the chip are restored or the motherboard is replaced.
After damaging the BIOS the virus also makes the data in all the hard disks
unreadable. Win95.CIH bypasses all types of BIOS protection mechanisms
to do its destructive job. Because of these characteristics this is surely
one of the most damaging virus.
CIH virus first appeared in June 1998 and it is in the wild.
Variants
of CIH virus:
There are three variants (1.2, 1.3 and 1.4) of Win95.CIH virus. These
variants can be identified from the text string present in the virus code.
The variants 1.2 and 1.4 are reported to be in the wild and spreading.
Win95.CIH.1.2 and 1.3 do the damage on 26th of April only and Win95.CIH.1.4
does it on the 26th every month. Win95.CIH.1.4 is also the most frequently
reported variant.
Other
names of CIH virus:
This worm is also known as Win95/CIH
and Space Filler.
Removing
CIH virus from your computer:
You can remove this virus from your computer by using Protector Plus
antivirus software.
Click
here to download a 30 day Evaluation Copy of
Protector Plus for your operating system
You may also use the CleanCIH.EXE
program that is made specially to remove the CIH virus.
|
