McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This threat has an updated risk assessment of Low-Profiled due to TechTV article New Viruses Wreak Havoc.

This W95/CIH variant was specifically rewritten to avoid detection. However, just like all other W95/CIH variants, it is detected in program heuristic mode as "New Win32" virus with any DATs.

This variant has a dangerous payload that triggers when the CMOS clock is set to the 2nd date of a month. It would wipe flash BIOS on some computer models and overwrite data on the harddrive.

AVERT have not recieved any field submissions of this new variant.

Symptoms

It carries strings "nZiptgZ" and "1.4" (they can be very far apart because the virus body may be spread all over the host file).

Method of Infection

This variant uses the same split-cavity infection method as the rest of W95/CIH family so the size of the host file does not change after infection.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This threat has an updated risk assessment of Low-Profiled due to TechTV article New Viruses Wreak Havoc.

This W95/CIH variant was specifically rewritten to avoid detection. However, just like all other W95/CIH variants, it is detected in program heuristic mode as "New Win32" virus with any DATs.

This variant has a dangerous payload that triggers when the CMOS clock is set to the 2nd date of a month. It would wipe flash BIOS on some computer models and overwrite data on the harddrive.

AVERT have not recieved any field submissions of this new variant.

Symptoms

Symptoms -

It carries strings "nZiptgZ" and "1.4" (they can be very far apart because the virus body may be spread all over the host file).

Method of Infection

Method of Infection -

This variant uses the same split-cavity infection method as the rest of W95/CIH family so the size of the host file does not change after infection.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A