PE_CIH Virus due to strike 26 July!

To: Alfa Digest <alfa-digest@digest.net>
Subject: PE_CIH Virus due to strike 26 July!
From: "B. D. & Petei Zelazny" <unltd-ltd@brooksdata.net>
Date: Fri, 24 Jul 1998 09:18:10 -0500
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Organization: Petei/Unlimited Limited & Divided by Zero Productions
Reply-To: "B. D. & Petei Zelazny" <unltd-ltd@brooksdata.net>
Sender: owner-alfa@digest.net

The following IS NOT A HOAX! I have confirmed the existance of
the PE_CIH virus with Norton. If you have Norton Antivirus
software, update your virus detection files today and scan your
hard drive for viruses.

Below is a notice sent out by the University of Texas regarding
this virus.

Bernie

=================================================================

Win32/CIH virus ALERT

IMPORTANT: Anyone running Microsoft Windows 95 or Windows 98
should heed
this notice.

This June, a new virus called Win32/CIH (or PE_CIH) first
appeared, and it
has now been discovered on campus machines. The virus infects
Windows 95 and
Windows 98 executable files (PE format), but NOT files on Windows
NT or any
Macintosh computer.

Win32/CIH viruses can split up the body of the virus code and
place it
within unused parts of the infected file. The viruses contain
highly
destructive code, which triggers on the 26th of any month. On the
26th (this
Sunday is 26 July), the virus code attempts to overwrite the
flash-BIOS in
infected machines. If the flash-BIOS is write-enabled, and most
modern
computers have a writable flash-BIOS, the overwriting renders the
machine
UNUSABLE because it will no longer boot. Any hardware damage
caused by the
virus is not covered under manufacturer's warranties. At the same
time, the
disk partition information is destroyed.


The Win 32/CIH virus was triggered in a test using a Windows 95
system.
After the computer's date rolled over to 26 July, all disk
partitioning
information was lost, leaving the system unbootable and the data
unrecoverable. No known tools are available to help save lost
work, but
analysts are searching.

This virus has been discovered on computers in several campus
labs,
including the Windows 95 systems in the Student Microcomputer
Facility. If
you have used a diskette on one of these systems and then used it
elsewhere,
you may have spread the virus. Of course, it is always possible
that you
picked up the virus elsewhere. Testing your system may be
prudent.


What Can You Do?
If you do not have time to disinfect your machine before Sunday,
26 July,
you should shut your system down on the 25th and not use it again
until the
27th. This can be a very devastating virus and ALL precautions
should be
taken to avoid it. Do NOT turn on an untested machine any time
during the
26th.

Detection...
To detect the virus, you should immediately run a virus detection
program
that scans for the CIH virus. If your detection software will not
run
BECAUSE of the virus (and we have found a case of that for the
Dr. Solomon's
software), you must boot your system with a clean boot disk
containing the
disinfecting software. If you have a subscription to UT Connect
from ACITS,
you have access to Dr. Solomon's anti-virus software. However,
the current
version of it (v7.85) does NOT check for the Win32/CIH
virus--none of the UT
Connect CDs has code to detect or eradicate the virus. We expect
to get the
"patched" version with the CIH check by noon on Friday the 24th.
After that
time, you can download the version entitled "Dr. Solomon
Anti-Virus for
Windows/95 Version 7.85 (Patched)". To do that, go to
http://www.utexas.edu/cc/swdist/
    and follow the instructions to authenticate yourself and
download the
Toolkit, which will detect the Win32/CIH virus.
Another option is to go to the Dr. Solomon's Web page at

http://www.drsolomons.com/vircen/extra/index.cfm
    and download the Win32/CIH driver. Follow the instructions
for placing
the driver in your Dr. Solomon's directory, then scan your disk.
If you have some other virus-detection software, contact the
provider
immediately for information.


Disinfection...
After downloading and installing the patched version, run a
complete scan of
your hard disk. If the virus is detected or if the virus checker
will not
run, go immediately to Software Distribution in COM 14 or to the
Help Desk
in WCH 1.104. Bring your UT ID and one 3.5" diskette. Upon
verification that
you have a current subscription to UT Connect, we will copy the
Dr.
Solomon's disinfecting software to your diskette.
The Help Desk will be open on Saturday, 25 July, from 9 a.m. to 4
p.m.

Note:Bring a diskette to COM 14 or to the Help Desk (WCH 1.104)
to get the
disinfecting software.

If you do not have a current UT Connect subscription, you can get
one in COM
14 or at the Help Desk. Remember: the version of Dr. Solomon's on
the UT
Connect CD is NOT the latest. Once you have a subscription, you
will still
need to download the "patched" version to detect the virus and
then get the
diskette to disinfect the virus, if necessary.

If you have questions about this virus or the detection and
disinfecting
procedures, call the Help Desk at 475-9400.


----------------------------------------------------------------------------
----

Departmental Services
Comments to dsweb@ds.cc.utexas.edu
23 July 98

Prev by Date: Re: used parts warning
Next by Date: GTV6ers and Monterey
Prev by thread: RE: car of the century
Next by thread: RE: Thinking about buying a Spider
Index(es):
- Date
- Thread

Home | Archive | Main Index | Thread Index