Fw: NCR - REMINDER OF UPCOMING EVENT

From: ]\\\\[][G}{T§TÖ®]v[ <NightStorm_Draco_@HOTMAIL.COM>
To: <CREED-DISCUSS@WINDUPLIST.COM>
Date: Tue
24 Apr 2001 22:20:39 -0400

Just a reminder to all you computer users of Win95.CIH - Chernobyl - a malicious virus which actives on April 26th
An old medium risk virus is still a common infector throughout the world
MEDINA, Ohio April 17, 2001 - Central Command, a leading provider of PC anti-virus software and computer security services, and its partners today remind computer users of the Win95.CIH (aka. Chernobyl), a malicious virus named after its author Chen Ing-Hau, which will activate on April 26th, the last Thursday of this month.
Since its discovery in 1998, the CIH virus has infected hundred of thousands of computers in Asian countries and other parts of the
world. Because of its destructive capabilities, CIH has resulted in millions of dollars in damages and data lost worldwide over the
past couple years. "What troubles me, is that detection for the CIH virus has been added nearly two years ago by a majority of the anti-virus software vendors and yet we still see CIH listed as a common infector," Said Steven Sundermeier Product Manager at Central Command Inc.  "It is obvious that there is still a need for more education about virus prevention," concluded Sundermeier.

Details
Name: Win95.CIH
Aliases: Chernobyl, PE_CIH, Win32.CIH, W32/CIH.Spacefiller
Spread Method: By infecting 32bit PE EXE application files
OS: Windows 95, Windows 98
Origin: Taiwan
Risk: Medium
The virus installs itself into the Windows memory, and infects Portable Executable EXE files that are opened.  On April 26th, the
virus damages the computers by writing garbage instructions to the FLASH BIOS if the motherboard and chip sets are compatible with the virus.  Additionally, the virus will then overwrite the data on all installed hard drives.
 
MORE DETAILS OF PE_CIH (from http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_CIH&VSect=T )This virus infects .EXE files in Windows 95/98. Once an infected file is executed, it is memory resident and looks for spaces in the target file so that it can appends itself to those unused spaces. The size increase of infected files is hardly noticeable. It also hooks the IFS (Installable File System), which gives it the ability to infect any PE (Portable Executable, e.g., .EXE) type files. Windows NT files, however, are not subject to infection (by PE_CIHV1.2) due to the use of a VXD programming technique (used when it becomes memory resident): this technique is available in Windows 95/98 only. Therefore, Windows NT systems are immune to the Chernobyl infection. This file infector has a couple of destructive payloads that are triggered on the 26th day of a month. On the trigger day, it attempts to overwrite the system's hard disk with random data, making data recovery very difficult. It also tries to do permanent damage to the system by corrupting data stored in the Flash BIOS. Once the hard drive has been reformatted (by PE_CIHV1.2), the following message is displayed when the system is rebooted:
DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER If the user boots the system from the A: drive and tries to change to the C: drive, another message is displayed:
“Invalid drive specification since the hard disk has already been overwritten with some random data.”
 
FURTHER INFO ON THE WIN_CIH VIRUS, INCLUDING HOW TO SCAN FOR, AND CLEAN, CAN BE FOUND AT http://www.geocities.com/npicrash/win95cih.htm
 
¤]\[][G}{T§TÖ®]v[¤
http://NightStorm.isyourgod.com/
NightStorm_Draco_@hotmail.com
NightStorm_Draco@creedlist.com
NightStorm@isyourgod.com
I've seen the wicked fruit of your vine, Destroy the man who lacks a strong mind
Human pride sings a vengeful song Inspired by the times you've been walked on
My stage is shared by many millions, Who lift their hands up high because they feel this
We are one We are strong, The more you hold us down the more we press on
What if you did? What if you lied? What if I avenge? What if eye for an eye?