Fwd: Everyone on this list.. please read (not junk mail)

["Brian D. Cook" <bcook@xxxxxxxxxxx>]

>X-From_: owner-wc@BETHEL-CT.ORG  Sat Jul 25 06:20:23 1998
>X-Mailer: AOL 3.0 for Windows 95 sub 76
>Date:         Sat, 25 Jul 1998 06:27:50 EDT
>Reply-To: Where everybody knows your name <WC@BETHEL-CT.ORG>
>Sender: Where everybody knows your name <WC@BETHEL-CT.ORG>
>From: Medieval Man <MidEvlMan@AOL.COM>
>Subject:      Everyone on this list.. please read (not junk mail)
>To: WC@BETHEL-CT.ORG
>
>REAL VIRUS - NOT A WARNING.. if you dont believe me and think this is anther
>joke, then read the particulars below
>
>.. instructions on how to remove:
>
>...this one is a motherfucker...it actvates sunday 26,
>fucks your hd and reprograms your BIOS...no jokes...
>then you cannot boot anymore..it affects all your .exe files
>you ran or copied has it by now..
>
>the pirate group PWA had it without knowing in june and july
>...their win98 realease had it....a lot of machines are supposed
> to go dowm next sunday...this will be a mess...
>...hope you get thru this ok...
>you can check for info about this on
>
>Before you follow the directions, read my notes, they are VERY
>important
>
>INSTRUCTIONS.
>
>1. Get the navc10.exe file from me and copy it to a floppy.
>(I will upload this tonight)  http://www.digitalrecall.com/navc10.exe
>2. make a bootup disk from another computer
> (one that is clean, unaffected)
>3. boot off the BootDisk and incert the disk with navc10.exe
>4. make a directory on the C drive
>(for those who are DOS dummies: you type in the following command.
>A: C:
>C: md anti (this makes a directory called anti)
>C: copy a:*.* c:\anti
>
>5. change the dir to c:\anti (Command= cd anti )
>6. type this command
>(navc \doallfiles)
>7. if you have the virus then use this command
>(navc \doallfiles \repair)
>
>(now I might have the \ or / ::slashes:: backwards on these command.)
>
>
>NOTES:
>1. This virus affects all exe files.  So if you execute any file,
>it then also becomes affected.  Therefore, do not exe the navc10.exe
>file.  Simply copy it to a floppy.
>
>2. This virus does not change the size of an exe file when it embeds
>itself, becuase if it did, then an anti-virus program would have
>detected it.  Because of this, it "eats" away parts of an exe file
>to make room for itself.  When the virus clean I am giving you cleans it,
>there will be room left over.  This empty space where part of the
>original code for the exe used to be might screw up the exe file.
>
>3. all the old virus infected files are backed up by the anti-virus program
>and are renamed with .vir.. so this might add considerable space to the hdd
>I am waiting to delete all vir files... just in case I need one (for
>what reason I dont know :-)
>
>
>-----------==================----------
>Win95.CIH
>
>
>This is a Windows95 specific parasitic PE files (Portable Executable)
>infector about 1Kbyte of length. This virus
>was found "in-the-wild" in Taiwan in June 1998 - it was posted by the
>virus author to a local Internet conference as
>a some utility. Within a week the virus was found in Austria, Australia,
>Israel, United Kingdom, and was also
>reported from several other countries (Switzerland, Sweden, USA, Russia,
>Chile and the list keeps growing).

>
>The virus installs itself into the Windows memory, hooks file access
>calls and infects EXE files that are opened.
>Depending on the system date (see below) the virus runs its trigger
>routine. The virus has bugs and in some cases
>halts the computer when an infected application is run.
>
>The virus' trigger routine operates with Flash BIOS ports and tries to
>overwrite Flash memory with "garbage". This
>is possible only if motherboard and chipset allow to write to Flash
>memory. Usually writing to Flash memory can be
>disabled by a DIP switch, however this depends on the motherboard
>design. Unfortunately, there are modern
>motherboards that cannot be protected by a DIP switch - also, some of
>them do not pay attention for switch
>position and this protection has no effect at all. Some other
>motherboard designs provide write protection that can
>be disabled/overriden by software.
>
>During tests in our lab the virus did not overwrite the Flash BIOS and
>just halted the computer. We do however
>have reports from other sources telling that the virus really is able to
>mess it up.
>
>The trigger routine then overwrites data on all installed hard drives.
>The virus uses direct disk write calls to achieve
>this and bypasses standard BIOS virus protection while overwriting the
>MBR and boot sectors.
>
>There are three virus versions known, which are very closely related and
>only differ in few parts of their code. They
>have different lengths, texts inside the virus code and trigger date:
>
> Length  Text              Trigger date           Found In-The-Wild
>
> 1003    CCIH 1.2 TTIT     on April 26th          YES
> 1010    CCIH 1.3 TTIT     on April 26th          NO
> 1019    CCIH 1.4 TATUNG   on 26th of any month   YES - many reports
>
>Technical details
>
>While infecting a file the virus looks for "caves" in the file body.
>These caves are a result of the PE file structure: all
>file sections are aligned by a value that is defined in PE file header,
>and there are not used blocks of file data
>between the end of previous section and next one. The virus looks for
>these caves and writes its code into them.
>The virus then increases the size of sections by the necessary values.
>As a result the file length is not increased while
>infecting.
>
>If there is a cave of enough size, the virus saves its code in one
>section. Otherwise it splits its code into several parts
>and saves them to the end of several sections. As a result the virus
>code may be found as set of pieces, not as a
>single block in infected files.
>
>The virus also looks for a cave in the PE header. If there is a not used
>block not less than 184 bytes of length, the
>virus writes its startup routine to there. The virus then patches the
>entry address in the PE header with a value that
>points to the startup routine placed in the header. This is the same
>trick that was used in the "Win95.Murkry" virus:
>address of program entry points not to some file section, but to file
>header - out of loadable file data. Despite this,
>infected programs are run with no problems - Windows does not pay
>attention for such "strange" files, loads the file

>header into the memory, then file sections, and then passes control to
>the virus startup routine in PE header.
>
>When the virus startup routine takes control, it allocates a block of
>memory by using the PageAllocate VMM call,
>copies itself to there, locates other blocks of virus code and also
>copies them to allocated block of memory. The
>virus then hooks system IFS API and returns control to the host program.
>
>The most interesting thing in this part of the virus code is that the
>virus uses quite complex tricks to jump from Ring3
>to Ring0: when the virus jumps to newly allocated memory its code is
>then executed as Ring0 routine, and the virus
>is able to hook the file system calls (it is not possible in Ring3,
>where all users applications are run).
>
>The IFS API virus handler intercepts only one function - file opening.
>When PE .EXE files are opened, the virus
>infects them, provided there are caves of enough size. After infection,
>the virus checks the file date and calls trigger
>routine (see above).
>
>While running its trigger routine the virus uses direct access to Flash
>BIOS ports and VxD direct disk access calls
>(IOS_SendCommand).
>
>Detection and Disinfection tips can be found in the Win95.CIH FAQ
>
>Document history:
>Text originally posted: June-08-1998
>Text updated: June-30-1998
>Text updated: July-01-1998
>CIH FAQ added: July-14-1998
>
>(Detection for this virus was added in Weekly update 980607)
>