UKNM: Alarming

[James Tarin]

LAA03311

Sender:

ownerchinwag [dot] com

Precedence: bulk

Reply-To:

uk-netmarketingchinwag [dot] com

[Moderator's Note: I wouldn't normally post this type of email onwards,

however as James is willing to vouch for its authenticity...]


Sorry to post non-marketing related material, but this seems important - I

have a confirmed report of this hitting the Chicago office of a large

multinational organisation the day before yesterday. It seems about as

serious as it gets.


james

_______________________

James Tarin

Director of Strategy, Clarity

Tel: +44 171 397 2911

Fax: +44 171 397 2939


http://www.marketing.co.uk




> Win95/CIH

> 

> It used to be the case that a computer virus hitting your machine was simply

> a 'software problem'. Viruses are just computer programs and thus seemed

> limited to affecting other programs and/or data stored on your machine.

> There are many wild claims about software damaging hardware, but most fall

> into one of two categories on closer analysis - overuse leading to failure

> (where it is fundamentally irrelevant that the overuse was driven by a

> software process), and 'friend of a friend' stories (FOAFs are, by nature,

> all but unverifiable).

> 

> Software cannot damage (well-designed) hardware. About the worst payload

> that most people imagined was a complete hard drive reformat.

> 

> This was the naïve view. Fortunately, it was also what we saw in 'everyday'

> viruses. The afternoon of 25 June 1998 changed our view of things.

> 

> Late that afternoon, researchers at UK-based anti-virus developer Sophos and

> I finally confirmed our worst fears. The payload of a virus Sophos had

> received from a US customer a few days earlier was designed to, and could

> successfully, overwrite part of the BIOS code stored in common Flash BIOS

> chips.

> 

> Even worse than that this payload had been implemented, two of the four

> variants were due to trigger that payload on 26 June - the next day. (Two

> variants trigger on 26 April, one on 26 June and one the 26th of every

> month.)

> 

> The payload also overwrites the first 1 MB of information on every hard

> drive in the system. This happens regardless of the effectiveness of the

> attack on the Flash BIOS.

> 

> The virus is indisputably in the wild. In fact, since being first reported

> little more than a month ago, one of its variants made it onto the July


> WildList! Several anti-virus developers that VB staff are in regular

contact

> with have confirmed receiving samples of at least two variants from

> customers and most have received field samples of at least one variant.

> Across those contacts and from samples sent to VB, we have confirmed field

> reports of all four currently known variants that have the BIOS flashing

> payload.

> 

> The BIOS is a special program in an IBM-compatible PC that 'gets the PC up

> on its feet'. More accurately, it finds the PC's feet, then gets it up on

> them. The payload of the Win95/CIH family, if successful in messing with the

> Flash BIOS of an infected PC, will leave the machine unbootable. The part of

> the BIOS that is overwritten is the very first part of the BIOS program that

> runs at power-up or system reset.

> 

> PCs on which the Win95/CIH payload has triggered require the BIOS to be

> replaced. This is where a rash of Win95/CIH infections within a company can

> quickly become expensive.

> 

> With many PCs this involves opening the case, removing the current chip and

> inserting a replacement one. Obviously the BIOS has to match the

> motherboard: BIOSes tend to be designed for a range of CPUs and for

> particular 'chipsets' (all the other logic circuitry needed to make your

> expensive CPU co-ordinate with all the other components inside your PC).

> 

> Alternately, a BIOS chip that has been flashed by the virus is not actually

> damaged. However, it requires a fairly specialized piece of equipment to

> reprogram it with the correct BIOS image. This is an option for people with

> the right contacts and a backup copy of their BIOS' contents. (Admit it -

> you seldom backup your data often enough and have never heard of

> backing-up your BIOS!)

> 

> These first two fixes assume that your BIOS is installed in a socket.

> Unfortunately, it is increasingly common (and almost universal in laptops)

> that the Flash ROM chip holding your BIOS is soldered to the motherboard.

> In such machines, a motherboard replacement is effectively necessary.

> Although surface mount Flash ROM chips may be able to be removed and

replaced by a

> suitably skilled technician, it is unlikely to be cheaper and likely to be

> slower to effect this kind of repair. With some laptops it may be more

> economic to buy a new machine.

> 

> Who needs to worry about this virus? If you run Windows 95 or 98 you are at


> risk. The virus infects PE format executable files ('programs'). This

> includes Windows NT programs, but the virus will not run and its payload

> cannot trigger under NT. Should you be running Windows 95 on a 386 or early

> 486 your are most likely safe - storing the machine's BIOS in Flash ROM

> became popular towards the tail end of the 486 era. Most, if not all,

> Pentium-based machines will have Flash ROM.

> 

> We are still working with the chipset and motherboard designers to ascertain

> exactly which combinations of chipset and Flash ROM are susceptible to this

> payload. We know some Flash ROMs cannot be overwritten because the payload

> uses activation sequences known to not work with them. We hope to make more

> details available as we piece things together.

> 

> What should you do in the meantime? If from the above you suspect that you

> may be susceptible to this virus, please download (or obtain through your

> standard means) the very latest update to your anti-virus software, install

> it and scan your PC. Most major anti-virus vendors have updates that detect

> this virus. The safest way to scan is from Dos only mode using a DOS

> scanner.

> 

> That is not the same as running a scanner at a DOS Prompt under Windows

> 9x. To be sure, select 'Restart the computer in MS-DOS mode' from the shut

> down menu. If starting from power-up, press F8 when the 'Starting

Windows...'

> message is first displayed and select the 'Command prompt only' option.

> Another possibility is that your anti-virus developer may have provided an

> emergency boot disk. Lastly, if using your own emergency recovery disk,

> ensure it is from an appropriate version of Windows to avoid possible

> FAT32 problems.

> 

> If you have NT servers or workstations, it is safe to check them with native

> NT scanners. CIH cannot go resident under NT, so cannot infect nor trigger

> its payload on such systems. Thus, few of the concerns that must be

> considered when testing a Windows 9x machine apply. However, note that you

> should not scan a network share exported from a Windows 9x machine - in that

> case, an active infection on the machine exporting the share can spread

> further. In a similar vein, to check servers running non-Win32 operating

> systems, either run updated scanners native to that OS, or scan them across

> the network from anything other than a Windows 9x workstation.

> 

> Should you discover an infection of CIH, it is also most important to

> determine, quickly but safely, how widely the infection has spread through

> your organization. Safely? Remember, this is a fast infector - the act of

> opening a clean file on a machine with an active infection will cause it to

> be infected, if you have write-access to the file.

> 

> It is most important to consider files on network shares very carefully when

> planning a network-wide hunt. Files on attached network shares are 'seen' by

> CIH, not just those on local drives. Thus, you should not scan remote drives

> from a Windows 9x machine unless you are sure you are scanning from a clean

> environment.

> 

> Should you be concerned, or am I being a tad alarmist? I am concerned. It is

> not my job to sell anti-virus software. In fact, I wish we did not need

> anti-virus software. Sure - I'd be out of a job, but there are many other

> interesting, challenging and fundamentally worthwhile things to work at.

> 

> So, should you be worried? In the 36 hours or so leading up to our

> isolating the nature of the complete Win95/CIH payload, colleagues at other

> anti-virus companies were also becoming concerned about this virus. Not

because they

> were aware of its full payload, but because they were receiving samples from

> all around the world and were worried about the disk-trashing due for 26

> June.


> 

> Between then and now, we have had reports from (at least) Australia,

> Chile, France, Germany, Japan, Korea, Norway, Romania, Russia, South Africa,

> Taiwan (where it is believed to have been written), the UK and the US. We

> received confirmed reports of BIOSes being reflashed on 26 June.

> 

> True - it is difficult to say what the chances are of the virus finding you,

> but it is a fast-infector, meaning that it will quickly spread through most

> possible host files on an infected PC. That neat new utility your friend or

> office colleague gave you the other day, just might have been exposed to

> it.

>

> Can you really be sure where it had been before you ran it?

> 

> CIH is widespread, but probably not 'common'. Thus, the threat of exposure

> is low. The BIOS flashing payload however, means that if you are at risk

> of exposure the possible cost of failing to detect it and having the payload

> trigger is higher than in previous viruses.

> 

> I have heard people shrug-off this suggestion with a response such as 'New

> BIOSes are only twenty pounds [thirty dollars]'. That is true and if you are

> single user, the risk of exposure may mean the cost of ignoring this virus

> until your next regular anti-virus program update is bearable to you. If the

> Flash ROM containing your BIOS is soldered to the board, with a typical

> replacement cost of three times that you may be a little more worried. But

> imagine if you have to scale that over a large corporate IT infrastructure

> of several thousand PCs?

> 

> Maybe you are an 'expert user' accustomed to adding and removing bits from

> your PC? If so, you probably did not consider the additional (and quite

> high) costs of employing suitable technical staff to effect these

> replacements.