Panda Software reports the appearance of CIH.1106 (W32/CIH.1106), a virus that deletes the contents of the hard disk and prevents infected computers from being booted.
To carry out its infection, CIH.1106 goes memory resident on affected systems. On Windows 98, Windows 95 or Millennium computers, the virus waits for files with an EXE extension to be run and distributes its infection code in the unused spaces in these files. In this way, the size of infected files does not increase, which avoids arousing suspicion. However, on computers with Windows 2000, NT or XP operating systems, the worm stays memory resident but does not infect files.
Once it activates, on the 2nd of any month, CIH.1106 carries out the following actions:
- It overwrites the FAT (File Allocation Table) in the hard disk, destroying the information it contains.
- It deletes the contents of the BIOS memory in computers with an Intel 430TX chipset in their motherboard. This prevents computers from working or even booting.
CIH.1106 can reach computers through various means: e-mail messages with an infected document, computer networks, CD-ROMs, Internet downloads, FTP, floppy disks, etc.
CIH.1106 is a variant of W95/CIH, also known as CIH, which first appeared in 1998 and is one of the more destructive viruses ever. When it activates, it deletes the contents of the hard disk and overwrites the FLASH BIOS of some motherboards. According to past investigations, its author was a 24 year-old Taiwanese student called Chen Ing-Halu, whose initials gave rise to the virus name. There are many CIH variants, the most devastating and widespread was "Chernobyl". The virus name stems from the fact that it activates on April 26, on the same date that, in 1986, the Chernobyl nuclear disaster took place.