发信人: bluesea()
整理人: emil(1999-02-04 00:06:50), 站内信件
|
Win95.CIH
This is a Windows95 specific parasitic PE files (Portable Executable) infector
about 1Kbyte of length. This virus was found "in-the-wild" in Taiwan in June
1998 - it was posted by the virus author to a local Internet conference as a
some utility. Within a week the virus was found in Austria, Australia, Israel,
United Kingdom, and was also reported from several other countries (Switzerland,
Sweden, USA, Russia, Chile and the list keeps growing).
The virus installs itself into the Windows memory, hooks file access calls and
infects EXE files that are opened. Depending on the system date (see below) the
virus runs its trigger routine. The virus has bugs and in some cases halts the
computer when an infected application is run.
The virus' trigger routine operates with Flash BIOS ports and tries to overwrite
Flash memory with "garbage". This is possible only if motherboard and chipset
allow to write to Flash memory. Usually writing to Flash memory can be disabled
by a DIP switch, however this depends on the motherboard design. Unfortunately,
there are modern motherboards that cannot be protected by a DIP switch - also,
some of them do not pay attention for switch position and this protection has no
effect at all. Some other motherboard designs provide write protection that can
be disabled/overriden by software.
During tests in our lab the virus did not overwrite the Flash BIOS and just
halted the computer. We do however have reports from other sources telling that
the virus really is able to mess it up.
The trigger routine then overwrites data on all installed hard drives. The virus
uses direct disk write calls to achieve this and bypasses standard BIOS virus
protection while overwriting the MBR and boot sectors.
There are three virus versions known, which are very closely related and only
differ in few parts of their code. They have different lengths, texts inside the
virus code and trigger date:
Length Text Trigger date Found In-The-Wild
1003 CCIH 1.2 TTIT on April 26th YES
1010 CCIH 1.3 TTIT on April 26th NO
1019 CCIH 1.4 TATUNG on 26th of any month YES - many reports
Technical details
While infecting a file the virus looks for "caves" in the file body. These caves
are a result of the PE file structure: all file sections are aligned by a value
that is defined in PE file header, and there are not used blocks of file data
between the end of previous section and next one. The virus looks for these
caves and writes its code into them. The virus then increases the size of
sections by the necessary values. As a result the file length is not increased
while infecting.
If there is a cave of enough size, the virus saves its code in one section.
Otherwise it splits its code into several parts and saves them to the end of
several sections. As a result the virus code may be found as set of pieces, not
as a single block in infected files.
The virus also looks for a cave in the PE header. If there is a not used block
not less than 184 bytes of length, the virus writes its startup routine to
there. The virus then patches the entry address in the PE header with a value
that points to the startup routine placed in the header. This is the same trick
that was used in the "Win95.Murkry" virus: address of program entry points not
to some file section, but to file header - out of loadable file data. Despite
this, infected programs are run with no problems - Windows does not pay
attention for such "strange" files, loads the file header into the memory, then
file sections, and then passes control to the virus startup routine in PE
header.
When the virus startup routine takes control, it allocates a block of memory by
using the PageAllocate VMM call, copies itself to there, locates other blocks of
virus code and also copies them to allocated block of memory. The virus then
hooks system IFS API and returns control to the host program.
The most interesting thing in this part of the virus code is that the virus uses
quite complex tricks to jump from Ring3 to Ring0: when the virus jumps to newly
allocated memory its code is then executed as Ring0 routine, and the virus is
able to hook the file system calls (it is not possible in Ring3, where all users
applications are run).
The IFS API virus handler intercepts only one function - file opening. When PE
.EXE files are opened, the virus infects them, provided there are caves of
enough size. After infection, the virus checks the file date and calls trigger
routine (see above).
While running its trigger routine the virus uses direct access to Flash BIOS
ports and VxD direct disk access calls (IOS_SendCommand).
Detection and Disinfection tips can be found in the Win95.CIH FAQ
Document history:
Text originally posted: June-08-1998
Text updated: June-30-1998
Text updated: July-01-1998
CIH FAQ added: July-14-1998
(Detection for this virus was added in Weekly update 980607)
--
水木清华BBS病毒讨论精华区、乱码大全、让PWindows95更顺手……
http://www.nease.net/~bluesea
※ 来源:.广州网易 BBS bbs.nease.net.[FROM: 210.74.180.169]
|
|