My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win95.CIH

LOW
MEDIUM
~1K
(Cernobyl)

Symptoms

None









Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win95.Cih.

Analyzed By

Costin Ionescu BitDefender Virus Researcher

Technical Description:

This virus infects executables and is working under Windows 9x systems. It was spreading silently and became in the wild, without showing any payload until the date of 26 April when it writes garbage in the Flash memory and destroys the boot sectors. There are known many versions of this virus, some of them with the payload date modified or even the payload modified or absent.

It hooks a system routine addressed when the files are opened (using a VXD call to IFSMGR.InstallFileSystemApiHook), after it has copied in an allocated memory zone. At every file open the intercepted routine is called (in ring 0) and the virus checks if the file is a PE (Portable Executable). If so, it looks for unused space left between program\'s sections or unused space in header (184 bytes). The unused space is left by the compilers in order to respect the file alignment (a value stored in the PE header). The virus is able to split its body in pieces to fit every piece in those cavities between sections. After copying in this manner his body in the new host, it changes the entry point of the program to point to it's start routine (usually located in the header's unused space). After completing the infection it checks the date to be 26 April and launch (if so) the malicious payload. The payload use some tricks to bypass the Windows protection to be able to erase the BIOS and the boot disk sectors.

Even the virus had bugs (and caused system errors) it remained enough time undetected in many computer until the payload date, destroying those computers.