Win95.CIH Windows 95/98 Virus

By Bill Grogg

The Win95.CIH virus is a file infecting virus that infects Portable Executable (PE) Windows 95 (or 98 or ME) executable files. PE executables have unused space in them and the virus will break itself up to fit in these spaces.

Once a file infected with Win95.CIH is executed, the virus will become active and begin infecting other Windows 95 PE executables. Because of the way it controls access to programs, Windows NT shouldn't be susceptible to the virus according to a write up on it by the Virus Bulletin.

The virus has a destructive payload that is triggered on the 26th of the month. At that time it will attempt to overwrite the FlashBIOS and the system areas of the hard drive. If the former is successful, the machine will no longer be able to boot and the BIOS chip may have to be replaced. Success of the later attack will make it virtually impossible to recover your data from the hard drive.

In order to protect yourself from this virus, make sure your keep your anti-virus software updated with the latest signatures. Those after about August 1998 for ICSA certified products (see ICSA Certification for details) should detect and remove this virus. Also make sure you scan all executable files you receive to verify that they are clean.

If you do not have anti-virus software running, have old signature files, or are unsure if your system is clean when the 26th approaches, just make sure your system isn't running on that date. Subsequently, obtain ICSA certified anti-virus software (see Purchasing Anti-Virus Software) or make sure you obtain the latest signatures from your vendor (see Updating Your Anti-Virus Software).

What if you've actually been hit with this virus? Is there anything that can be done to recover? Thankfully, Steve Gibson of Gibson Research Corporation created a small freeware utility to completely recover from the attack (on FAT-32 partitions). Click here to visit the site and download the FIX-CIH utility. Thanks, Steve!