Tue, 27 April 1999
met wie ek reeds privaat gesels het :

Ek was die slagoffer van 'n virus wat op 26 April toegeslaan het en my hele
C skyf m&^%$ toe gestuur het. Alles, maar alles is weg - ook julle E
adresse. Moes 'n "low level format" doen om darem net die skyf terug te
kry. Sal my leer..................

Skryf asseblief : Hennerietjie, Strandjakkals, Bees, Shannon, en nog
andere ook. Sal graag julle weer in die adresboek wil plaas.

Dankie & groetnis

Omie in Walvisbaai
(Julle ken reeds die dril met die water in my adres)
Fri, 30 April 1999
Ah, Jy het ook onder die kloue van die Chernobil-virus aka
(Win95.CIH.Spacefiller) beland het.
As iemand die "source-code" van die virus soek. Ek het dit.

Tue, 04 May 1999
Behalwe nou vir die C skyf wat m&^%$ toe gestuur word, waaraan kan mens ook
herken of die Chernobil-virus jou rekenaar beet het (en moontlik op 'n ander
datum mag toeslaan?) Op watter wyse word dit oorgedra?

Fizzer, beduie asb. vir my kortliks wat is die sg. 'source code'?



Ns. Waarom is Leendert so stil? Het sy rekenaar dalk ook in die hek
Thu, 06 May 1999
Wel ek weet dat as jou moederbord op die 26ste opgepak het, dan was dit heel
waarskynlik die Chernobil gewees.

Hier is 'n verslag... jammer vir die Engels...

Name: CIH
Type: Resident EXE-files
Origin: Taiwan

CIH virus infects Windows 95 and 98 EXE files. After an infected EXE is
executed, the virus will stay in memory and will infect other programs
as they are accessed.

The CIH virus was first located in Taiwan in early June. After that, it
has been confirmed to be in the wild in at least France, Germany, The
Netherlands, Sweden, China, Israel, Chile and Australia. CIH has been
spreading very quickly as it has been distributed through pirated

It seems that at least four underground pirate software groups got
infected with the CIH virus, and they inadvertently spread the virus
globally in new pirated softwares they released through their own
channels. These releases include some new games which will spread
world-wide very quickly. There's also a persistent rumor about a
'PWA-cracked copy' of Windows 98 which would be infected by the CIH
virus but Data Fellows has been unable to confirm this.

Later on, CIH was available by accident from several commercial
websites, including the Origin Systems website where a download related
to the popular Wing Commander game was infected.

What makes the CIH case really serious is that the virus activates
destructively. When it happens the virus overwrites most of the data on
the computers hard drive. This can be recovered with recent backups.

However, the virus has another, unique activation routine: It will try
to overwrite the Flash BIOS chip of the machine. If this succeeds, the
machine will be unable to boot at all unless the chip is reprogammed.
The Flash routine will work on many types of Pentium machines - for
example, on machines based on the Intel 430TX chipset. On most machines,
the Flash BIOS can be protected with a jumper. By default, protection is
usually off.

The CIH virus infects Windows executable files (EXE files). It does not
infect Word or Excel documents. CIH works under both Windows 95 and
Windows 98, but it does not work under Windows NT.

CIH uses a peculiar way of infecting executables. As a result, the size
of the infected files does not grow at all. The actual size of the virus
code is around 1 kB. The virus also employees advanced tricks in jumping
from processor ring 3 to ring 0 in order to hook file system calls.

There are four known closely-related variants:

CIH v1.2 (CIH.1003): Activates on April 26th. This is the most common
variant. It contains this text:


CIH v1.3 (CIH.1010.A and CIH.1010.B): Activates on June 26th. Contains
this text:


CIH v1.4 (CIH.1019): Activates on 26th of every month. It is in the
wild, but not particularily common. It contains this text:


Note on disinfection: If you're using F-Secure Anti-Virus for Windows 95
v4.02, you need to exit Windows to disinfect CIH. Choose Start/Restart
in MS-DOS mode, then execute FSAV for DOS from the FSAV CD-ROM and
disinfect your hard drive with that.

[Mikko Hypponen/Data Fellows]

Die sg. Source Code is die code waarmee die virus geprogrameer is. As jy die
taal waarmee dit
geskryf is verstaan, sal jy kan uitmaak hoe die persoon die virus geskryf het...
Hoop nie dis te onduidelik nie.
