Win95.CIH.based

This is a Windows95/98 specific parasitic virus infecting Windows PE files (Portable Executable), about 1Kbyte of length. This virus was found in-the-wild in Taiwan in June 1998 - it was released by virus author in a local university he was studied this time, then the virus was (accidentally?) posted to a local Internet conference that released the virus out of Taiwan: within a week the virus was found in Austria, Australia, Israel, United Kingdom, and was also reported from several other countries (Switzerland, Sweden, USA, Russia, Chile, e.t.c.).

In about a month the infected files were accidentally put on several Web sites in USA (game software distribution sites) that caused global virus epidemic. In about a year after virus appearing on March 26th 1999 the bomb in virus code caused the computer catastrophe. About half of million computers were damaged because of virus infection: all of them lost data on the hard drive, many of them also got a destroyed chip on the motherboard (plus to damaged hard drives). This incident was the major one - there were no such global and terrible computer incidents known.

Because the virus bomb day fall to the day of Chernobyl catastrophe, shocked the world on 26th April 1986, the virus, already known as CIH got its second name - Cernobyl .

Despite on this the virus author did not link his bomb with Chernobyl (maybe he ever haven\ t heard this name before). It seems the bomb day was selected by another reason. The first virus version (that fortunately haven\ t left Taiwan) was releases on April 26 1998, so the virus celebrated its birthday on April 26 1999.

The virus works

The virus installs itself into the Windows memory, hooks file access calls and infects EXE files that are opened. Depending on the system date (see below) the virus runs its trigger routine. The virus has bugs and in some cases halts the computer when an infected application is run.

The virus\ trigger routine operates with Flash BIOS ports and tries to overwrite Flash memory with garbage . This is possible only if motherboard and chipset allow to write to Flash memory. Usually writing to Flash memory can be disabled by a DIP switch, however this depends on the motherboard design. Unfortunately, there are modern motherboards that cannot be protected by a DIP switch - also, some of them do not pay attention for switch position and this protection has no effect at all. Some other motherboard designs provide write protection that can be disabled/overriden by software.

The trigger routine then overwrites data on all installed hard drives. The virus uses direct disk write calls to achieve this and bypasses standard BIOS virus protection while overwriting the MBR and boot sectors.

There are three original virus versions known, which are very closely related and only differ in few parts of their code. They have different lengths, texts inside the virus code and trigger date:

Length Text Trigger date Found In-The-Wild 1003 CIH 1.2 TTIT on April 26th YES 1010 CIH 1.3 TTIT on April 26th NO 1019 CIH 1.4 TATUNG on 26th of any month YES - many reports

Technical details

While infecting a file the virus looks for caves in the file body. These caves are a result of the PE file structure: all file sections are aligned by a value that is defined in PE file header, and there are not used blocks of file data between the end of previous section and next one. The virus looks for these caves and writes its code into them. The virus then increases the size of sections by the necessary values. As a result the file length is not increased while infecting.

If there is a cave of enough size, the virus saves its code in one section. Otherwise it splits its code into several parts and saves them to the end of several sections. As a result the virus code may be found as set of pieces, not as a single block in infected files.

The virus also looks for a cave in the PE header. If there is a not used block not less than 184 bytes of length, the virus writes its startup routine to there. The virus then patches the entry address in the PE header with a value that points to the startup routine placed in the header. This is the same trick that was used in the Win95.Murkry virus: address of program entry points not to some file section, but to file header - out of loadable file data. Despite this, infected programs are run with no problems - Windows does not pay attention for such strange files, loads the file header into the memory, then file sections, and then passes control to the virus startup routine in PE header.

When the virus startup routine takes control, it allocates a block of memory by using the PageAllocate VMM call, copies itself to there, locates other blocks of virus code and also copies them to allocated block of memory. The virus then hooks system IFS API and returns control to the host program.

The most interesting thing in this part of the virus code is that the virus uses quite complex tricks to jump from Ring3 to Ring0: when the virus jumps to newly allocated memory its code is then executed as Ring0 routine, and the virus is able to hook the file system calls (it is not possible in Ring3, where all users applications are run).

The IFS API virus handler intercepts only one function - file opening. When PE .EXE files are opened, the virus infects them, provided there are caves of enough size. After infection, the virus checks the file date and calls trigger routine (see above).

While running its trigger routine the virus uses direct access to Flash BIOS ports and VxD direct disk access calls (IOS_SendCommand).

Other known virus versions

The original virus author released to the wild not only virus code in affected EXE files, but virus source (assembler) code as well. These source code were patched, reocompiled, and new virus version were found because of that. Most of these versions are buggy and not able to replicate, but other do that. All of them are very closed to original viruses, but there are few differences. The main difference is that the bomb date was changed, and new variants of virus either erase data and Flash BIOS on other days, or this routine is never called.

There are also original versions of virus patched so that they have other bomb days. The basic of this fact is very silly: the virus checks the trigger date by comparing current day and month number with two constants (two bytes). By patching these constants it is possible to select any day the virus will destroy the computers.