Details
Win95.CIH-Killer.1373

It is not a dangerous memory resident parasitic Win95 virus. It infects Windows executable files (PE EXE - Portable Executable), and writes itself to the end of files while infecting them. If a file is already infected by “Win95.CIH” infector, the “CIH-Killer” virus disinfects them, and then infects by its own copy. If an infected file is executed from 0:00am till 0:59am, the virus depending on the system time displays the message:
CIH Killer1.1
I’ll kill CIH,but I’ll live here,too!
Produce By SSJ. CCU. Taiwan 1999.

The virus code looks similar to “Win95.CIH” and uses same tricks to install virus code to the Windows memory. By patching system tables the virus switches itself from application mode to kernel driver (Ring3 -> Ring0), allocates a block of system memory, hooks IFS API and stays as a VxD driver. On opening PE EXE files the virus infects them by writing its code to the end of last file section. The virus then modifies necessary PE header fields.

Related Posts

This entry was posted on Monday, July 28th, 2008 at 7:50 am and is filed under Virus Threats.