Analysis of virus program source code examples-CIH virus[1]

CIH virus mainly infects executable programs of Windows 95/98/Me. When it attacks, it destroys the system program in the computer's Flash BIOS chip, causing damage to the motherboard and destroying data in the hard disk. When a virus attacks, the hard drive spins continuously, and the virus program writes junk data to the hard drive in units of 2048 sectors, starting from the main boot area of ​​the hard drive until all the hard drive data is destroyed. All data on the hard disk (including the partition table) is destroyed and must be repartitioned to possibly save the hard disk. At the same time, motherboards from some brands, such as Gigabyte and MSI, will destroy the system program in the Flash BIOS, causing the system to become unresponsive after booting.
The CIH virus was introduced into the country from Taiwan in August 1998. There are five versions in total. Various versions have developed over time and been continuously improved. The development process is as follows:

(1 ) CIH virus version 1.0

The initial version 1.0 was only 656 bytes, and the prototype was relatively simple. There was not much improvement in structure from ordinary viruses. Its biggest feature is that it can infect Microsoft Windows PE executable files, the length of program files infected by them increases, and the CIH virus version 1.0 is not yet destructive.

　 (2) CIH virus version 1.1

When the CIH virus developed to version 1.1, the length of the virus was 796 bytes. This version of the CIH virus has the ability to determine Windows Once it is determined that the user is running Windows NT, the functions of the NT software will not take effect and will hide themselves to avoid generating error messages. At the same time, more optimized code is used to reduce its length.

Another improvement point of version 1.1 CIH virus is that it can take advantage of the "gaps" in the Windows PE class executable file, split itself into several parts as needed, and insert them into the PE class executable file respectively. The advantage of this is that it will not increase the file length when infecting most Windows PE files.

　 (3) CIH virus version 1.2

When the CIH virus developed to version 1.2, in addition to correcting some of the defects of version 1.1, it also added the ability to damage users The hard disk and the code of the user's machine BIOS program. This improvement makes it enter the ranks of malignant viruses. The CIH virus body length of version 1.2 is 1003 bytes.

　(4) CIH virus version 1.3

The biggest flaw of the CIH virus version 1.2 is that when it infects a ZIP self-extracting package file, it will cause the ZIP compressed package to The following error warning message appears during self-extraction:
　

　
　　WinZip Self-Extractor header corrupt.
　　Possible cause: disk or file transfer error.

Version 1.3 of the CIH virus appears to be in a hurry. Its improvement points are aimed at the above defects. Its improvement method is: Once it is determined that the opened file is WinZip Self-extracting programs of this type will not be infected. At the same time, this version of the CIH virus has modified the virus attack time from April 26 to June 26. The CIH virus version 1.3 is 1010 bytes long.

　 (4) CIH virus version 1.4

Version 1.4 CIH virus has improved the defects in previous versions and does not infect ZIP self-extracting package files. It also modifies The attack date was changed from June 26 to the 26th of each month, increasing the frequency of virus attacks. The copyright information in the virus was also modified (the copyright information was changed to: "CIH v1.4 TATUNG", the relevant information in the previous version was "CIH v1.x TTIT"), the length of the CIH virus version 1.4 is 1019 bytes.

As mentioned before, the CIH virus has created several firsts in the history of viruses and is very destructive. The outbreak of the virus has caused immeasurable losses to the world. So, how is code with such great "destructive" power written? Below, we take version 1.4 of the CIH virus as an example to analyze part of its core code.

The above is the content of virus program source code example analysis-CIH virus [1]. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!