Sophos warns of new PC paralyser

June 30, 1998 Sophos Press Release

Virus attacks boot files, destroying start-up routines.

Sophos is warning Windows 95 and Windows 98 users of a new virus, known as CIH, which has the capacity to overwrite system start-up routines, as well as wiping data on hard disks. The virus attacks the BIOS, needed to boot up the computer, something which no previous virus has managed to do.

The attack comes in two parts, the first and most dangerous being that on the BIOS. The virus overwrites the start-up mechanism, having first bypassed safety features which prevent unintentional loss of data. This makes the computer unbootable until the chip is replaced. The second attack overwrites data on the hard disk of the machine.

"The attack on the BIOS has been tried before, but without success," said Paul Ducklin, Head of Research at Sophos. "The fact that this attack is coupled with the more usual characteristic of data loss makes this virus doubly destructive. Any machine attacked will both cease to function and lose its data. For the first time, we have a virus with side-effects that can only be cured by physically opening the computer and replacing a component."

The virus infects EXE files in Windows 95 and Windows 98. The trigger date is April 26th, though there are variants which trigger on June 26th, and on the 26th of any month.

"Attacked computers can be repaired," said Paul Wilson, Sophos Technical Support Manager. "Additionally, some computers can be configured to be physically secure against this sort of attack, though they are usually shipped with such protection disabled, presumably for reasons of convenience."