From news.dal.ca!sunqbc.risq.qc.ca!news-peer.gip.net!news-lond.gip.net!news.gsl.net!gip.net!dispose.news.demon.net!demon!colt.net!Pollux.Teleglobe.net!server-b.cs.interbusiness.it!nmaster.tin.it!news.tin.it!news Tue Jul 21 04:29:15 1998 Path: news.dal.ca!sunqbc.risq.qc.ca!news-peer.gip.net!news-lond.gip.net!news.gsl.net!gip.net!dispose.news.demon.net!demon!colt.net!Pollux.Teleglobe.net!server-b.cs.interbusiness.it!nmaster.tin.it!news.tin.it!news From: "Andreas" Newsgroups: alt.comp.virus Subject: Re: CIH-Virus Date: Tue, 7 Jul 1998 14:07:24 +0200 Organization: Telecom Italia Net Message-ID: <6nt33n$5a6@everest.vol.it> References: <6nshhj$3sm$2@news02.btx.dtag.de> NNTP-Posting-Host: a-bz4-25.tin.it X-Newsreader: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Lines: 125 Xref: news.dal.ca alt.comp.virus:86965 Hinse ha scritto nel messaggio <6nshhj$3sm$2@news02.btx.dtag.de>... >Anybody hear anything about a Virus with the nice name "CIH"??? He should >infect Hardware...(and the usual blablabla). >....Hahahahahaha?!?!?!? > >Regards > >Patrick > > Answer: That is true! It seems a new computer virus epidemic is coming to the world... Kaspersky Lab, the developer AntiViral Toolkit Pro by Eugene Kaspersky is warning all Windows 95 and Windows 98 users about a new real threat of a virus infection. This new virus, named CIH has the capability to overwrite system start-up programs, and destroy all the data on hard disks. It can also attack the BIOS, which is needed to start the computer. This is the first known virus to exist that has this much destructive power. This new virus was first detected in Taiwan in the beginning of June and immediately spreaded all over the world. It has been found in-the-wild in Europe, America, South-East Asia and Russia. Kaspersky Lab received information about this new virus from a infected user in St. Petersburg, Russia. Eugene Kaspersky, the chief of virus research at Kaspersky Lab said: “Some of you certainly remember the total epidemic of the Microsoft Word Macro virus "Concept" in 1995. The appearance of Concept caused antivirus developers to re-engineer their antivirus software a lot. I feel this will happen again.” The virus has been in-the-wild for more than one month but still a few of antivirus development companies have detection and disinfection for this new virus. AntiViral Toolkit Pro by Kaspersky Lab is able to detect and remove CIH. The detection and disinfection was added almost immediately after Kaspersky Lab virus researchers received a sample on June 8th. This is a Windows95 specific parasitic PE files (Portable Executable) infector about 1Kbyte of length. This virus was found "in-the-wild" in Taiwan in June 1998 - it was posted by the virus author to a local Internet conference as a some utility. Within a week the virus was found in Austria, Australia, Israel, United Kingdom, and was also reported from several other countries (Switzerland, Sweden, USA, Russia and the list keeps growing). The virus installs itself into the Windows memory, hooks file access calls and infects EXE files that are opened. Depending on the system date (see below) the virus runs its trigger routine. The virus has bugs and in some cases halts the computer when infection application is run. The virus' trigger routine operates with Flash BIOS ports and tries to overwrite Flash memory with "garbage". This is possible only if motherboard and chipset allows to write to Flash memory. Usually writing to Flash memory can be disabled by a DIP switch, however this depends on the motherboard design. Unfortunately, there are modern motherboard that cannot be protected by DIP switch - some of them do not pay attention for switch position and this protection has no effect at all, for other hardware write protection can be disabled/overriden by software. During tests in our lab the virus did not overwrite Flash BIOS and just halted the computer. We do however have reports from other sources telling that the virus really is able to damage Flash memory.The trigger routine then overwrites data on all installed hard drives. The virus uses direct disk write calls to do that and bypasses standard BIOS virus protection while overwriting the MBR and boot sectors. There are three virus versions known, which are very closely related and only differ in few parts of their code. They have different lengths, texts inside the virus code and trigger date: Length Text Trigger date Found In-The-Wild 1003 CCIH 1.2 TTIT on April 26th YES 1010 CCIH 1.3 TTIT on April 26th NO 1019 CCIH 1.4 TATUNG on 26th of any month YES - many reports Technical details ----------------- While infecting a file the virus looks for "caves" in the file body. These caves are a result of the PE file structure: all file sections are aligned by a value that is defined in PE file header, and there are not used blocks of file data between the end of previous section and next one. The virus looks for these caves and writes its code into them. The virus then increases the size of sections by the necessary values. As a result the file length is not increased while infecting. If there is a cave of enough size, the virus saves its code in one section. Otherwise it splits its code into several parts and saves them to the end of several sections. As a result the virus code may be found as set of pieces, not as a single block in infected files. The virus also looks for a cave in the PE header. If there is a not used block not less than 184 bytes of length, the virus writes its startup routine to there. The virus then patches the entry address in the PE header with a value that points to the startup routine placed in the header. This is the same trick that was used in the "Win95.Murkry" virus: address of program entry points not to some file section, but to file header - out of loadable file data. Despite this, infected programs are run with no problems - Windows does not pay attention for such "strange" files, loads the file header into the memory, then file sections, then passes control to the virus startup routine in PE header. When the virus startup routine takes control, it allocates a block of memory by using PageAllocate VMM call, copies itself to there, locates other blocks of virus code and also copies then to allocated block of memory. The virus then hooks system IFS API and returns control to the host program. The most interesting thing in this part of the virus code is that the virus uses quite complex tricks to jump from Ring3 to Ring0: when the virus jumps to newly allocated memory its code is then executed as Ring0 routine, and the virus is able to hook the file system calls (it is not possible in Ring3, where all users applications are run). The IFS API virus handler intercepts only one function - file opening. When PE .EXE files are opened, the virus infects them, provided there are caves of enough size. After infection, the virus checks the file date and calls trigger routine (see above). While running its trigger routine the virus uses direct access to Flash BIOS ports and VxD direct disk access calls (IOS_SendCommand). Bye --- From news.dal.ca!newsflash.concordia.ca!utnut!cs.utexas.edu!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!EU.net!news0.Belgium.EU.net!newsr.Belgium.EU.net!not-for-mail Tue Jul 21 04:30:54 1998 Path: news.dal.ca!newsflash.concordia.ca!utnut!cs.utexas.edu!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!EU.net!news0.Belgium.EU.net!newsr.Belgium.EU.net!not-for-mail From: pierre@datarescue.com (Pierre Vandevenne) Newsgroups: alt.comp.virus Subject: Re: CIH-Virus Date: 11 Jul 1998 19:56:02 GMT Organization: DataRescue - sprl - Lines: 38 Message-ID: <6o8g0i$b65$1@news3.Belgium.EU.net> References: <6nshhj$3sm$2@news02.btx.dtag.de> <6nte9h$i1a@news.microsoft.com> <6nvic7$jhu$1@news3.Belgium.EU.net> <35a63129.9433338@newshost.pcug.org.au> <6o5d6g$qlf@news.microsoft.com> Reply-To: pierre@datarescue.com NNTP-Posting-Host: 195.0.122.12 X-Newsreader: IBM NewsReader/2 2.0 Xref: news.dal.ca alt.comp.virus:87049 In , tark@vds.net (Tarkan Yetiser) writes: >Actually, his comments were accurate;-) CMOS never held any part of Thanks Tarkan. >the BIOS. It's not a memory-addressable device on the PC. You fetch/store >configuration data via port access. There's no code there to execute. Yes, and flashing an eprom doesn't occur through "ports" - ( i probably could be implemented that way but... ). The EEPROM is seen as an adressable array and, while not electrically protected, is writable after a specific activation sequence has been sent to in the right order and with the right timing to the array. (there is also a control register method that potentially simplifies programming, it is somewhat documented by JEDEC). Randy might think about the fact that CMOS data usually needs a battery to be kept alive, while BIOS code in an EEPROM doesn't to see the fundamental difference. The whole flash memory thing is really interesting btw, not only from a technical point of view, but also because these beasts are really everywhere nowadays. I have hacked around a bit, modifying flasher for hard drives, CD-R devices and PC BIOSes and have considered the idea of making that information available from a web page, but never did because of the potential misuse risks involved. It is one thing to re-time a flasher to have it work on newer machines, it is another to wipe the hard drive controller firmware of your neighbour. But if people keep mixing BIOS, CMOS and whatever ends by OS, maybe they just deserve that. ;-) --- Pierre Vandevenne, MD - http://www.datarescue.com/ida.htm IDA Pro 3.75 -the- disassembler From news.dal.ca!usenet.logical.net!srcc!newsfeed.gamma.ru!Gamma.RU!newsfeed.direct.ca!pln-w!spln!extra.newsguy.com!newsp.newsguy.com!news1 Tue Jul 21 04:31:11 1998 Path: news.dal.ca!usenet.logical.net!srcc!newsfeed.gamma.ru!Gamma.RU!newsfeed.direct.ca!pln-w!spln!extra.newsguy.com!newsp.newsguy.com!news1 From: ccreeper@inetnow.net (The Creeper) Newsgroups: alt.comp.virus Subject: Re: CIH-Virus Date: Sun, 12 Jul 1998 13:54:57 GMT Organization: http://extra.newsguy.com Lines: 23 Message-ID: <35a8be8f.608130@news.newsguy.com> References: <6nshhj$3sm$2@news02.btx.dtag.de> <6nt33n$5a6@everest.vol.it> NNTP-Posting-Host: p-393.newsdawg.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Newsreader: Forte Agent 1.5/32.451 Xref: news.dal.ca alt.comp.virus:86972 "Andreas" wrote: > >Hinse ha scritto nel messaggio <6nshhj$3sm$2@news02.btx.dtag.de>... >>Anybody hear anything about a Virus with the nice name "CIH"??? He should >>infect Hardware...(and the usual blablabla). >>....Hahahahahaha?!?!?!? >> >>Regards >> >>Patrick >> >> > >Answer: That is true! > >It seems a new computer virus epidemic is coming to the world... Oh I think that "epidemic" might be a wee bit too strong. It's no more "epidemic" in nature than other new viruses that go in the wild before people the public update their virus software to the latest versions or signatures. Epidemic is usually the word choice for marketing departments at large Anti-Virus companies. From news.dal.ca!sunqbc.risq.qc.ca!nntprelay.mathworks.com!news2.ais.net!jamie!ais.net!uunet!in1.uu.net!news.microsoft.com!news Tue Jul 21 04:31:41 1998 Path: news.dal.ca!sunqbc.risq.qc.ca!nntprelay.mathworks.com!news2.ais.net!jamie!ais.net!uunet!in1.uu.net!news.microsoft.com!news From: "Randy Abrams" Newsgroups: alt.comp.virus Subject: Re: CIH-Virus Date: Mon, 13 Jul 1998 10:49:31 -0700 Organization: Microsoft Corp. Lines: 27 Message-ID: <6odi5i$ms@news.microsoft.com> References: <6nshhj$3sm$2@news02.btx.dtag.de> <6nte9h$i1a@news.microsoft.com> <6nvic7$jhu$1@news3.Belgium.EU.net> <35a63129.9433338@newshost.pcug.org.au> <6o5d6g$qlf@news.microsoft.com> <6o8g0i$b65$1@news3.Belgium.EU.net> NNTP-Posting-Host: 157.55.202.229 X-Newsreader: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Xref: news.dal.ca alt.comp.virus:87054 Pierre Vandevenne wrote in message <6o8g0i$b65$1@news3.Belgium.EU.net>... >In , tark@vds.net (Tarkan Yetiser) writes: >Randy might think about the fact that CMOS data usually needs a battery to be >kept alive, while BIOS code in an EEPROM doesn't to see the fundamental >difference. The whole flash memory thing is really interesting btw, not only >from a technical point of view, but also because these beasts are really >everywhere nowadays. Yep, I'm aware of the differences. It was probably a poor choice of words (reset, instead of reflash) that lead to confusion. I'm just dumbfounded that there wouldn't be a failsafe built into the motherboards for cases of flash corruption. Certainly a virus payload is not the only occurance that could render the flash BIOS data garbage. It would only take a little ROM chip to have an onboard default setup that would allow for reflashing the BIOS. Randy The opinions expressed in this message are my own personal views and do not reflect the official views of the Microsoft Corporation. From news.dal.ca!sunqbc.risq.qc.ca!howland.erols.net!wn3feed!worldnet.att.net!135.173.83.225!attworldnet!newsadm Tue Jul 21 04:32:22 1998 Path: news.dal.ca!sunqbc.risq.qc.ca!howland.erols.net!wn3feed!worldnet.att.net!135.173.83.225!attworldnet!newsadm From: wcdove@worldnet.att.net Newsgroups: alt.comp.virus Subject: Re: CIH-Virus Date: Mon, 13 Jul 1998 22:33:01 -0400 Organization: AT&T WorldNet Services Lines: 46 Message-ID: <6oemhl$dus@bgtnsc03.worldnet.att.net> References: <6nshhj$3sm$2@news02.btx.dtag.de> <6nte9h$i1a@news.microsoft.com> <6nvic7$jhu$1@news3.Belgium.EU.net> <35a63129.9433338@newshost.pcug.org.au> <6o5d6g$qlf@news.microsoft.com> <6o8g0i$b65$1@news3.Belgium.EU.net> <6odi5i$ms@news.microsoft.com> NNTP-Posting-Host: 12.68.75.81 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 4.04 [en]C-WorldNet (Win95; I) Xref: news.dal.ca alt.comp.virus:87087 Randy Abrams wrote: > > Pierre Vandevenne wrote in message <6o8g0i$b65$1@news3.Belgium.EU.net>... > >In , tark@vds.net (Tarkan Yetiser) writes: > > >Randy might think about the fact that CMOS data usually needs a battery to > be > >kept alive, while BIOS code in an EEPROM doesn't to see the fundamental > >difference. The whole flash memory thing is really interesting btw, not > only > >from a technical point of view, but also because these beasts are really > >everywhere nowadays. > > Yep, I'm aware of the differences. It was probably a poor choice of words > (reset, instead of reflash) that lead to confusion. I'm just dumbfounded > that there wouldn't be a failsafe built into the motherboards for cases of > flash corruption. Certainly a virus payload is not the only occurance that > could render the flash BIOS data garbage. It would only take a little ROM > chip to have an onboard default setup that would allow for reflashing the > BIOS. It seems that everything nonessential for operation that may be trimmed from the PC architecture is being trimmed -- either that, or the motherboard design engineers are idiots; the latter being self-evidently false, it's got to be economics. Funny: a year or two ago, it was self-evident that having to manually reset a jumper or dip-switch before rewriting EEROM was an essential, wasn't it? I guess that the additional cost of designing in the circuitry and the 3 plated-through holes, a 3x1 pin array, and a shorting block is just enough that it made sense to eliminate them; then the additional cost of the bare-bones BIOS in ROM that would let you boot enough to reflash a corrupted FLASH BIOS was too much too and never became defacto standard. What a PITA. Then, it was also clear that a parity checking memory subsystem was a cheap way to provide redundancy: now you go ECC or nonparity, no middle ground. From news.dal.ca!newsflash.concordia.ca!sunqbc.risq.qc.ca!howland.erols.net!EU.net!news0.Belgium.EU.net!newsr.Belgium.EU.net!beos Tue Jul 21 04:33:38 1998 Path: news.dal.ca!newsflash.concordia.ca!sunqbc.risq.qc.ca!howland.erols.net!EU.net!news0.Belgium.EU.net!newsr.Belgium.EU.net!beos From: pierre@datarescue.com (Pierre Vandevenne) Newsgroups: alt.comp.virus Subject: Re: CIH-Virus Date: Tue, 14 Jul 1998 04:20:33 GMT Organization: DataRescue sa/nv Lines: 45 Message-ID: <6oemah$26s_002@beos.dr-hq.com> References: <6nshhj$3sm$2@news02.btx.dtag.de> <6nte9h$i1a@news.microsoft.com> <6nvic7$jhu$1@news3.Belgium.EU.net> <35a63129.9433338@newshost.pcug.org.au> <6o5d6g$qlf@news.microsoft.com> <6o8g0i$b65$1@news3.Belgium.EU.net> <6odi5i$ms@news.microsoft.com> Reply-To: pierre@datarescue.com NNTP-Posting-Host: 195.0.122.239 X-Newsreader: News Xpress 2.01 Xref: news.dal.ca alt.comp.virus:87144 In article <6odi5i$ms@news.microsoft.com>, "Randy Abrams" wrote: >Yep, I'm aware of the differences. It was probably a poor choice of words >(reset, instead of reflash) that lead to confusion. I'm just dumbfounded Oh, ok, no problem. >that there wouldn't be a failsafe built into the motherboards for cases of >flash corruption. Certainly a virus payload is not the only occurance that The "boot block" protection should in theory be used. I imagine it isn't anymore because of the usual creeping featuritis... >could render the flash BIOS data garbage. It would only take a little ROM Well, writing to the eeprom randomly isn't likely to result in corruption : you need a few writes of specific values at specific locations to make the chip receptive. In practice, I don't believe it could happen. If a program was to make writes in the BIOS segment it should get the right address ( 1 in 65536 is the best case estimate ) write the correct value there ( 1 in 65536 again) then find a second address and write a second value there (same chances). Of course it has to do this with the right timing and only then can it start issuing commands, that have to be issued at specific places, with specific values again. BTW, I don't know if a read or write operation at a wrong address in the eeprom array between two correct commands invalidate the sequence, but if it does, the risk is virtually non existent. >chip to have an onboard default setup that would allow for reflashing the >BIOS. I guess cost is the reason, added to the facts that in theory there is a protection mechanism and that virus writers probably wouldn't do their homework. And, as I said earlier, there is worse : hard disk firmware are usually flashable as well, without _any_ protection, except the fact that the information is "proprietary"... Pierre Pierre Vandevenne http://www.datarescue.com IDA Pro 3.76 released From news.dal.ca!sunqbc.risq.qc.ca!news.maxwell.syr.edu!news.mel.connect.com.au!news.can.connect.com.au!news.interact.net.au!newshost.pcug.org.au!ts123.pcug.org.au Tue Jul 21 04:33:59 1998 From: Gchallin@pcug.org.au (Graeme Challinor) Newsgroups: alt.comp.virus Subject: Re: CIH-Virus Date: Fri, 17 Jul 1998 02:48:48 GMT Message-ID: <35b0bb57.4465168@newshost.pcug.org.au> References: <6nshhj$3sm$2@news02.btx.dtag.de> <6nte9h$i1a@news.microsoft.com> <6nvic7$jhu$1@news3.Belgium.EU.net> <35a63129.9433338@newshost.pcug.org.au> <6o5d6g$qlf@news.microsoft.com> <6o8g0i$b65$1@news3.Belgium.EU.net> X-Newsreader: Forte Agent 1.5/32.452 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit NNTP-Posting-Host: ts123.pcug.org.au Lines: 18 Path: news.dal.ca!sunqbc.risq.qc.ca!news.maxwell.syr.edu!news.mel.connect.com.au!news.can.connect.com.au!news.interact.net.au!newshost.pcug.org.au!ts123.pcug.org.au Xref: news.dal.ca alt.comp.virus:87334 On 11 Jul 1998 19:56:02 GMT, pierre@datarescue.com (Pierre Vandevenne) wrote: > >But if people keep mixing BIOS, CMOS and whatever ends by OS, maybe they >just deserve that. ;-) > Not sure what they deserved ;-) but people do get things mixed up and you get as many different ideas as there are contributors. I think I'll stick with the simplest distinction; BIOS is software; CMOS describes the hardware architecture. (It's a type of MOS in which both P-channel and N-channel components are fabricated on the same die.) _________________________________ Graeme Challinor EMAIL: gchallin@pcug.org.au WWW: http://www.pcug.org.au/~gchallin/ _________________________________