Home / malware Win95.CIH
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win95.CIH is also known as Cernobyl.
Explanation :
This virus infects executables and is working under Windows 9x systems. It was spreading silently and became in the wild, without showing any payload until the date of 26 April when it writes garbage in the Flash memory and destroys the boot sectors. There are known many versions of this virus, some of them with the payload date modified or even the payload modified or absent.
It hooks a system routine addressed when the files are opened (using a VXD call to IFSMGR.InstallFileSystemApiHook), after it has copied in an allocated memory zone. At every file open the intercepted routine is called (in ring 0) and the virus checks if the file is a PE (Portable Executable). If so, it looks for unused space left between program's sections or unused space in header (184 bytes). The unused space is left by the compilers in order to respect the file alignment (a value stored in the PE header). The virus is able to split its body in pieces to fit every piece in those cavities between sections. After copying in this manner his body in the new host, it changes the entry point of the program to point to it's start routine (usually located in the header's unused space). After completing the infection it checks the date to be 26 April and launch (if so) the malicious payload. The payload use some tricks to bypass the Windows protection to be able to erase the BIOS and the boot disk sectors.
Even the virus had bugs (and caused system errors) it remained enough time undetected in many computer until the payload date, destroying those computers.Last update 21 November 2011
