Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : LINUX -- Ignore unavailable to you. Want to Upgrade?

To: Mitch Blevins who wrote (1490)	4/27/1999 8:12:00 PM
From: E. Charters	Respond to of 2615

Waaaaaaaaaaaaaaah! waaaaaaaaaaaaaaaaaaah! It was CIH. a version of F-Protect found it. But the version (Tucows 4.02 off the cdrom) crashed when it attempted to disinfect it. Dr. Solomon's people told me the reason their program (out of date) would not load was because of the virus. Their SOS disk would not find it (out of date.) All the Business Depot stuff is out of date when you buy it. When you go on the Dr. Solomon's site, it says version 7.92 (which will fix CIH) is "temporarily unavailable.". The staff said it was because "they were sure to be working on a better version.." So they removed the one update that would work? the solution? To go onto McAffee site and get them to do an over the internet disk scan. Sure.. and I am a horse's ptui. hmmmmmm seems like Dr. Solomon's is in it for the money alright. tricky, trashing your fix downloads the day after the bug scare. I believe that was a co-incidence, but thousands of people at the developmental centre scorn my naivete. Bets that someone at Dr. S's did not write the CIH virus? I would not bet against it. EC<:-}

To: Mitch Blevins who wrote (1490)	4/28/1999 2:18:00 AM
From: E. Charters	Respond to of 2615

I WAS infected with the CIH virus variant 1003. It infects EXE files in win95 and win98. It wiped my hard drive. I just got the stuff back about an hour ago. BUT to be safe you should look with F-Protect version 4.03 or 4.02. F-Protect worked on my hard drive and it is available at datafellows.com The trial version will disinfect CIH. I think it is better if you get the network version from Europe as it says when you are in operation it will disinfect totally all the windows locked files when you reboot. Note that the advisory says you have to use a DOS diskette from F-Protect to actually disinfect if you have version 4.02. There is some confusion here as the version are labelled twice with different systems. You will see 3.04 and 4.03 on the same software. *************************************************************** Advisory: Alias: PE_CIH, CIHV, SPACEFILLER, VIN32 Origin: Taiwan CIH virus infects Windows 95 and 98 EXE files. After an infected EXE is executed, the virus will stay in memory and will infect other programs as they are accessed. The CIH virus was first located in Taiwan in early June. After that, it has been confirmed to be in the wild in at least France, Germany, The Netherlands, Sweden, China, Israel, Chile and Australia. CIH has been spreading very quickly as it has been distributed through pirated software. It seems that at least four underground pirate software groups got infected with the CIH virus, and they inadvertently spread the virus globally in new pirated softwares they released through their own channels. These releases include some new games which will spread world-wide very quickly. There's also a persistent rumor about a 'PWA-cracked copy' of Windows 98 which would be infected by the CIH virus but Data Fellows has been unable to confirm this. Later on, CIH was available by accident from several commercial websites, including the Origin Systems website where a download related to the popular Wing Commander game was infected. What makes the CIH case really serious is that the virus activates destructively. When it happens the virus overwrites most of the data on the computers hard drive. This can be recovered with recent backups. However, the virus has another, unique activation routine: It will try to overwrite the Flash BIOS chip of the machine. If this succeeds, the machine will be unable to boot at all unless the chip is reprogammed. The Flash routine will work on many types of Pentium machines - for example, on machines based on the Intel 430TX chipset. On most machines, the Flash BIOS can be protected with a jumper. By default, protection is usually off. The CIH virus infects Windows executable files (EXE files). It does not infect Word or Excel documents. CIH works under both Windows 95 and Windows 98, but it does not work under Windows NT. CIH uses a peculiar way of infecting executables. As a result, the size of the infected files does not grow at all. The actual size of the virus code is around 1 kB. The virus also employees advanced tricks in jumping from processor ring 3 to ring 0 in order to hook file system calls. There are four known closely-related variants: CIH v1.2 (CIH.1003): Activates on April 26th. This is the most common variant. It contains this text: CIH v1.2 TTIT CIH v1.3 (CIH.1010.A and CIH.1010.B): Activates on June 26th. Contains this text: CIH v1.3 TTIT CIH v1.4 (CIH.1019): Activates on 26th of every month. It is in the wild, but not particularily common. It contains this text: CIH v1.4 TATUNG Note on disinfection: If you're using F-Secure Anti-Virus for Windows 95 v4.02, you need to exit Windows to disinfect CIH. Choose Start/Restart in MS-DOS mode, then execute FSAV for DOS from the FSAV CD-ROM and disinfect your hard drive with that. [Mikko Hypponen/Data Fellows]