Yui Kee Co. Ltd. Press Release For immediate release
6 July 1998

News of Recent Viruses: CIH and W97M/ZMK.J (World Cup 98)

The world of computer viruses is constantly developing, about five to seven new viruses are discovered every day. Most of these will never spread in the wild and are unimportant and uninteresting to ordinary users. Occasionally, a new virus that affects users badly or that captures the popular imagination appear. Two recent examples of this are W97M/ZMK.J and CIH.

W97M/ZMK.J

The activation routine of this virus has a World Cup theme so it has generated public interest. One of the virus module names is WorldCup98, but the name of the virus is W97M/ZMK.J, showing it's relationship to earlier macro viruses. It will activate on the 12th of the month (I understand that there is a popular sporting event on the 12th of this month), or when the current second is 12 when Word starts. The payload will delete many files:

C:\Dos\*.*
C:\Windows\Command\*.*
C:\Msdos.sys
C:\Io.sys

and modifies C:\Autoexec.bat. It also modifies INI files by adding country names. The virus shows some message box with following strings:

"VIVE LA COUPE DU MONDE 98!!!!"
"Virus WorldCup98"
"J'espère que tu aime le football..."
"Hip Hip Hourra!!!!"
"Bravo!!!
"Dommage pour toi, tu as PERDU..." "mon choix était:...
"ZeMacroKiller98 est heureux ladédier ce virus"
"?tous ceux qui aime FOOTBALL"
"Veuillez choisir une équipe"

which strongly indicate that it originated in France. The virus uses OrganizerCopy when infecting, so it will not work with Word 97 service release 1 (SR-1). It is not currently known to be spreading in the wild. Given that it is limited in the Word versions it spreads in, and it's frequent activations, it is not likely to become widespread. The latest macro virus definitions for F-Secure detect and disinfect W97M/ZMK.J. The definitions are available at the ftp sites listed below. Licensed users of F-Secure Anti-Virus can automate the download and installation process by using the GETMAC utility available at the same site.

ftp://ftp.europe.datafellows.com/f-prot/tools/
ftp://ftp.yuikee.com.hk/pub/f-prot/tools/

CIH

CIH is quite unlike W97M/ZMK.J, it does not contain any "topical" messages, it infects Windows 95 and 98 EXE files, it has a highly destructive activation routine and there are reported cases of infection and activation in several countries.

CIH originated in Taiwan, and was actively spread in the usenet discussion groups during June 1998. It has been reported in Sweden, France, Germany, Holland, Israel and Taiwan. Some reports have linked it's distribution to pirated software, including pirated copies of Windows 98 and some games.

CIH virus infects Windows 95 and 98 EXE files. After an infected EXE is executed, the virus will stay in memory and will infect other programs as they are accessed.

The virus contains a destructive activation routine: When it triggers, the virus overwrites the beginning of the hard drive with random data. In addition, the virus will try to overwrite the Flash BIOS chip of the machine. If this succeeds, the machine will be unable to boot at all unless the chip is reprogammed. The Flash routine will work on Pentium machines based on the Intel 430TX chipset and compatibles. Affected machines will need to have their Flash BIOS removed and reprogrammed in a modern ROM burner, i.e. take them to a repair shop.

On most motherboards, the Flash BIOS can be protected with a jumper. By default, protection is usually off.

CIH does not infect or activate under Windows NT.

There are three known, closely-related variants: CIH v1.2 which activates on April 26th, CIH v1.3 which Activates on June 26th, and CIH v1.4 which activates on 26th of every month.

As this virus is already known to be in the wild, and it has a destructive activation routine it is a threat to PC users and should be protected against as soon as possible.

F-Secure Anti-Virus has been updated to handle CIH, by means of definition updates for the AVP scanning engine. These are available at:

ftp://ftp.europe.datafellows.com/anti-virus/updates/avp/
ftp://ftp.yuikee.com.hk/anti-virus/updates/avp/

Additional information on computer viruses is available at
http://www.datafellows.com/vir-info/

About Data Fellows

Data Fellows is the world's leading data security development company with offices in San Jose, California, and Espoo, Finland. Its innovative, award winning F-Secure product range consists of a unique combination of strong encryption and revolutionary anti-virus software. Data Fellows has a support, training and distribution network covering over 80 countries around the world.

Data Fellows is privately held. The annual growth in net sales has been close to 100% since the company was founded in 1988. Data Fellows belongs to an elite group of companies that have a triple-A credit rating from Dun&Bradstreet.

About Yui Kee

Yui Kee Co. Ltd. is the Data Fellows Certified Anti-virus Centre and Data Fellows business partner for Hong Kong, Macau and China and provides local technical support and consultancy on security matters.

For further information, please contact

Hong Kong:
Yui Kee Co. Ltd.
Mr. Allan Dyer, Technical Director
Tel: +852 28708555
Fax: +852 28736164

or visit the Yui Kee web site at http://www.yuikee.com.hk/

Europe:
Data Fellows Ltd.
Mr. Mikko Hypponen, Product Manager
Tel. +358 9 8599 0523
Fax. +358 9 8599 0599

or visit the Data Fellows web site at http://www.DataFellows.com/