HackfixNews: Anti-Virus IDE alert: W95/CIH-1106

  • From: "Mike" <virusinfo@xxxxxxxxxxx>
  • To: hackfix-virushelp@xxxxxxxxxxxxx
  • Date: Tue, 03 Dec 2002 11:36:55 -0800

New Chernobyl virus strain detected 
December 4, 2002 
Panda Software, a Spanish-based antivirus company, reports the
appearance of a new strain of the devastating W95/CIH10XX virus
=96 also known as the Chernobyl virus - which can be so damaging
to some computers that it will render some BIOS chips and even
entire motherboards, unusable. 

Panda somehow obtained a copy of the new Chernobyl variant, though
it is not been seen "in the wild". 

According to the Panda report the virus deletes the contents of
the hard disk and prevents infected computers from being booted.
To carry out its infection, CIH.1106 goes memory resident on
affected systems. 

On Windows 98, Windows 95 or Millennium computers, the strain
waits for files with an EXE extension to be run and spreads its
infection code in the unused spaces in these files. In this way,
the size of infected files does not increase, which avoids
arousing suspicion. However, on computers with Windows 2000, NT or
XP operating systems, the virus stays memory resident but does not
infect files. 

The virus activates its payload on the 2nd of every month. The
original variant, first detected in 1998, activates its payload on
the 26th of April, the date of the Chernobyl nuclear catastrophe. 

From; Sophos Alert System 

Name: W95/CIH-1106
Aliases: Win95.CIH.1106, W95.CIH.1106, PE_CIH.1106
Type: Windows 95 executable file virus
Date: 3 December 2002

A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated into the
January 2003 (3.65) release of Sophos Anti-Virus.

At the time of writing Sophos has received no reports from users
affected by this virus. However, we have issued this advisory
following enquiries to our support department from customers. 

More information about W95/CIH-1106 can be found at

Download the IDE file from

Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from

Read about how to use IDE files at

Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
See my Anti-Virus pages  
A Technical Support Alliance Charter Member 

To unsubscribe from our list send an email 
to hackfixnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.

For a complete list of email commands for our list send 
an email to ecartis@xxxxxxxxxxxxx with a subject line of 
"info hackfixnews" without the quotes.

Other related posts:

  • » HackfixNews: Anti-Virus IDE alert: W95/CIH-1106