Virus attacks boot files, destroying start-up
Sophos is warning Windows 95 and Windows 98 users of a new
virus, known as CIH, which has the capacity to overwrite system
start-up routines, as well as wiping data on hard disks. The virus
attacks the BIOS, needed to boot up the computer, something which
no previous virus has managed to do.
The attack comes in two parts, the first and most dangerous
being that on the BIOS. The virus overwrites the start-up
mechanism, having first bypassed safety features which prevent
unintentional loss of data. This makes the computer unbootable
until the chip is replaced. The second attack overwrites data on
the hard disk of the machine.
"The attack on the BIOS has been tried before, but without
success," said Paul Ducklin, Head of Research at Sophos. "The fact
that this attack is coupled with the more usual characteristic of
data loss makes this virus doubly destructive. Any machine attacked
will both cease to function and lose its data. For the first time,
we have a virus with side-effects that can only be cured by
physically opening the computer and replacing a component."
The virus infects EXE files in Windows 95 and Windows 98. The
trigger date is April 26th, though there are variants which trigger
on June 26th, and on the 26th of any month.
"Attacked computers can be repaired," said Paul Wilson, Sophos
Technical Support Manager. "Additionally, some computers can be
configured to be physically secure against this sort of attack,
though they are usually shipped with such protection disabled,
presumably for reasons of convenience."