Here's why: NETA issued WARNING!!!
****Virus Warning - CIH Virus May Activate Aug 26 08/21/98
Newsbytes, Friday, August 21, 1998 at 14:33
SAN FRANCISCO, CALIFORNIA, U.S.A., 1998 AUG 21 (NB) --
By Craig Menefee, Newsbytes. Network Associates Inc., [NASDAQ:NETA] (NAI)
has issued a reminder that one of the nastiest viruses around, known
as the CIH, may strike August 26, though the most common "in the
wild" variant now circulating won't trigger until April 26, 1999. A
free fix for the particularly destructive virus is available at NAI
and several other antivirus vendor sites.
The Window 95/98 virus (it does not affect Windows NT systems)
originated in Taiwan earlier this year and spread rapidly around the
world. It has caused more concern than most viruses because it
operates in a particularly destructive and elusive way.
CIH is destructive because it can attack the flash BIOS of some
common chipsets. When it overwrites a BIOS with garbage, the machine
will no longer reboot even from a floppy disk until the flash BIOS is
reprogrammed. In other words it nearly totally disables a computer.
It also attacks data on hard drives, but that can be recovered by
users who back up their data.
The bug is elusive because, when infecting a target PC, it hides in
program areas known as "caves," free space at the end of a portable
executable (PE) file. Since a "cave" is not otherwise used, the
executable is not corrupted and the bug is able to hide without
making the file any larger. That makes it harder to find.
NAI acknowledges that one CIH variety triggers on the 26th of any
month but cautions users not to panic. The firm says its McAfee Labs
research division did extensive testing and found that the bug, which
is also known as PE CIH, WIN/95 CIH and Spacefiller, among other
names, may replicate rapidly but it is limited in delivering its
destructive payload.
Though the firm stresses the variant now spreading will not trigger
until April 26 of next year, not on the 26th of every month, NAI and
other major antivirus utility vendors have recommended getting a free
utility or updating a system's antivirus files to be able to find and
kill the bug as soon as possible.
Antivirus firm Trend Micro said the CIH virus goes resident in memory
and hooks the IFS (Installable File System) giving it the capability
to infect any PE type files. Depending on the variant, the virus may
add "CIH v1.2 TTIT," "CIH v1.3 TTIT" or "CIH v1.4 TATUNG" as a string
of code within the infected file.
Data Fellows warned that at least four underground pirate software
groups accidentally spread the CIH virus globally in pirated software
released through their own channels. The releases included some new
games, a near guarantee of rapid spread. DF also noted a persistent
rumor about a 'PWA-cracked copy' of Windows 98 infected by the bug
but said it could not confirm the rumor.
DF says the bug's Flash routine will work on many types of Pentium
machines -- for example, on machines based on Intel's very common
430TX chipset. On most machines, the Flash BIOS can be protected with
a jumper but, by default, protection is usually turned off to make
flash upgrades easier to accomplish.
Newsbytes notes there are now many free CIH virus fixes available.
The NAI monthly data file update kills the bug, and NAI has offered a
free find-and-clean CIH-specific utility through its Web site at
nai.com . Current VirusScan users can download the most
current data files from NAI's Web site.
Symantec offers a utility, KILL_CIH.EXE, that blocks CIH from
doing anything after it loads into memory, allowing cleanups of
infected systems even on trigger days. Symantec's anti-CIH tool is
available through its home World Wide Web site at
symantec.com . The firm's latest signature file updates
find and kill the ICH bug.
Iris Software has a small DOS-based utility program, CURE.EXE, that
runs inside a DOS box to search entire hard drives, find and
eradicate the bug. The utility can be found on the Web at
irisav.com .
Command Software also offers a free utility, CSAV451B.EXE, that scans
the hard drive and kills the bug. It can be downloaded using links
from the firm's home page at commandcom.com .
Reported by Newsbytes News Network: newsbytes.com .
(19980821/WIRES PC, LEGAL, NETWORK/)
|
