W32.CIH.Spacefiller

this page last updated 8-19-98

Virus Aliases: PE CIH, WIN/95 CIH
Area of Infection: Windows 95 portable Executable files (PE)
Characteristics: EXE, Windows, Memory Resident
Payload Date: (see variant info below)
Origin: Taiwan, found in early June 1998
Variants: CIH 1.2 TTIT, CIH 1.3TTIT, CIH 1.4 Tatung
v1.2 and 1.3 activate on April 26th
v1.4 will activate on the 26
th of any month

The W32.CIH.Spacefiller virus originated in Taiwan in early June 1998 and within one week was worldwide. The virus infects Windows 95 and 98 executable files and will quickly infect all the files of this type it can find . When an infected file is run, the virus becomes memory resident. It will then infect other files when they are copied or opened. Infected files will be the same size as the original file because of the unique infection techniques used, so this make the virus difficult to detect. The virus will first look for empty spaces in the file, then it will break itself up into small fragments and hide in the file. However the virus has some bugs, and in some cases can crash your computer, when infected applications are run.

The virus has two payloads, though McAfee Labs has yet to produce either one in its tests. It can overwrite or delete information on the hard drive by using direct disk-writes calls, bypassing standard BIOS virus protection, while overwriting the MBR and boot sectors.

The other payload will reportedly overwrite certain flash BIOS chipsets on some machines from a 486 through a Pentium II, which have flash BIOS. Some computers have a jumper on the motherboard, which acts as hardware write protection. Some machines also have a DIP switch, which allows the flashing BIOS to be disabled. There are some newer computers that cannot be protected by the switch and therefore are vulnerable to the virus. If this payload executes it will leave the PC inoperable unless the BIOS is restored or replaced.

McAfee Labs is continuing to analyze the virus and will update this document as necessary.
To date, the most common variant of the virus is the 1.2 variant. To be protected please be sure to download the latest DAT file (3108) for detection. If a cleaner is required, the current BETASCAN.ZIP download can provide you with a DOS command line remover. The v3.2.0 release will have removal capability for the virus in all products.