SYMANTEC NZ Release
SYMANTEC VIRUS ALERT Detected as: W95.CIH Aliases: Chernobyl CIH_SpaceFiller PE_CIH Trigger date: April 26
Characteristics: Wild
How can I be sure I'm protected? Norton AntiVirus users can protect themselves from this virus by downloading the
current virus definitions either through LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html . For computer users that do not have antivirus protection, Symantec has provided a free scanning tool that will detect
and remove the CIH virus. This can be downloaded from the Cyber Crime channel at http://www.zdtv.com
What is the CIH (Chernobyl) Virus? Discovered in 1998, Taiwan the CIH virus was written by a 24 year old man named Chen
Ing-hau (note the name of the virus derived from his initials). It was the first virus to cause serious 'damage' to a PC
by modifying or corrupting the BIOS chip. By overwriting part of the BIOS program, the virus prevents a computer from
starting up when the power is turned on, rendering the computer completely unusable. To recover from this it is
necessary to physically replace the BIOS chip on the motherboard, or in some cases, replace the motherboard completely.
When does it trigger? There are different variants of the CIH virus that trigger at different times. The most common
variant will activate on the 26th April while others may trigger on the 26th of any month. How does this virus spread?
The CIH virus is spread in Windows 95 executable files (files with the .EXE extension). When an infected program is run,
the virus becomes memory resident and subsequently infects other programs when they are executed or copied. How common
is it? CIH was the 14th most reported virus according to the Wildlist maintained by Joe Wells of IBM. This shows that
the virus is in circulation and that users are at risk of being infected by it if their anti-virus is not up-to-date.
CIH became widespread as it was accidentally spread on a number of magazine CD-ROM's and from several reputable Web
sites. Which operating systems are at risk? CIH will spread only under Windows 95 and Windows 98. Windows NT and Windows
3.x prevent the virus from becoming active.
For further information please contact: David Banes or Nimita Morarji
Symantec AntiVirus Research Centre Manager Botica Conroy & Associates Symantec Australia Pty Ltd Ph: 09 303 3862, 021 950058 Ph: 0061 28879
11140, 0061 411747821 Email: nimitam@bca.co.nz Email: dbanes@symantec.com
For further information on viruses visit the SARC web site: http://www.symantec.com/avcenter