[WinMac] W95.CIE virus

Peter Gunn(pdg1[at]cornell.edu)
Fri, 24 Jul 1998 09:37:06 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Leonard Rosenthol: "Re: [WinMac] Claris Draw Issues"
Previous message: Christian Raymond: "[WinMac] Re: Aptiva questions and lockdown"

Not to flame or anything, but what does this virus have to do with
Windows-Mac compatability? I mean, I think that real viruses like this one
should certainly be noted, but there are thousands of viruses out there,
and this one poses no new special threat to the Win-Mac community.

Anyway, a somewhat less inflamatory description of the W95.CIH virus can be
found at SARC's page on it, at
http://www.symantec.com/avcenter/data/cih.html
as follows:

W95.CIH
VirusName: W95.CIH
Aliases: PE_CIH
Infection Length: ~1K
Area of Infection: Windows 95 Portable Executable (PE) files
Likelihood: Rare
Region Reported: ?
Characteristics: EXE, Windows, Memory Resident
Target Platform: Windows 95
Target Date: 26th of the month

Description:

W95.CIH is a virus that infects 32-bit Windows 95/NT executables (files
with an .EXE extension), however it will only run on Windows 95. When an
infected program is run, the virus goes memory resident. W95.CIH then
infects new files when they are opened (e.g. when they are run or copied).
This means that an infected system must be rebooted from a clean system
disk before scanning with NAV, or any anti-virus product -- if this is not
done, the virus will infect every file that the anti-virus product scans.

W95.CIH does not infect Windows 3.x executable files.

W95.CIH has a destructive payload that is triggered on the 26th of the
month (depending on the variant, this will happen only in April or June).
This virus will attempt to modify or corrupt certain types of Flash RAM. We
believe that the likelihood is that most computers will not be susceptible
to this attack. This information has been corroborated with researchers
from the IBM Watson Research Center.

Infected files will be the same size as the original files, due to
W95.CIH's unique mode of infection: First, it looks for empty, unused
spaces in the file; then, it breaks itself up into smaller pieces, and
hides in these unused spaces. Norton AntiVirus is able to repair an
infected file by looking for these viral pieces and removing them from the
file.

* Windows-MacOS Cooperation List *
* FAQ: <http://www.darryl.com/winmacfaq/> *
* Archives: <http://www.darryl.com/winmac/> *
* Subscribe: <mailto:winmac-on@xerxes.frit.utexas.edu> *
* Subscribe Digest: <mailto:winmac-digest@xerxes.frit.utexas.edu> *
* Unsubscribe: <mailto:winmac-off@xerxes.frit.utexas.edu> *

Next message: Leonard Rosenthol: "Re: [WinMac] Claris Draw Issues"
Previous message: Christian Raymond: "[WinMac] Re: Aptiva questions and lockdown"

This archive was generated by hypermail 2.0b2 on Fri Jul 24 1998 - 06:33:58 PDT