First published: 06th July 1998The world of computer viruses is constantly developing, about five to seven new viruses are discovered every day. Most of these will never spread in the wild and are unimportant and uninteresting to ordinary users. Occasionally, a new virus that affects users badly or that captures the popular imagination appear. Two recent examples of this are W97M/ZMK.J and CIH.
The activation routine of this virus has a World Cup theme so it has generated public interest. One of the virus module names is WorldCup98, but the name of the virus is W97M/ZMK.J, showing it's relationship to earlier macro viruses. It will activate on the 12th of the month (I understand that there is a popular sporting event on the 12th of this month), or when the current second is 12 when Word starts. The payload will delete many files:
and modifies C:\Autoexec.bat. It also modifies INI files by adding country names. The virus shows some message box with following strings:
"VIVE LA COUPE DU MONDE 98!!!!"
"J'espère que tu aime le football..."
"Hip Hip Hourra!!!!"
"Dommage pour toi, tu as PERDU..." "mon choix était:...
"ZeMacroKiller98 est heureux ladédier ce virus"
"?tous ceux qui aime FOOTBALL"
"Veuillez choisir une équipe"
which strongly indicate that it originated in France. The virus uses OrganizerCopy when infecting, so it will not work with Word 97 service release 1 (SR-1). It is not currently known to be spreading in the wild. Given that it is limited in the Word versions it spreads in, and it's frequent activations, it is not likely to become widespread. The latest macro virus definitions for F-Secure detect and disinfect W97M/ZMK.J. The definitions are available at the ftp sites listed below. Licensed users of F-Secure Anti-Virus can automate the download and installation process by using the GETMAC utility available at the same site.
CIHCIH is quite unlike W97M/ZMK.J, it does not contain any "topical" messages, it infects Windows 95 and 98 EXE files, it has a highly destructive activation routine and there are reported cases of infection and activation in several countries.
CIH originated in Taiwan, and was actively spread in the usenet discussion groups during June 1998. It has been reported in Sweden, France, Germany, Holland, Israel and Taiwan. Some reports have linked it's distribution to pirated software, including pirated copies of Windows 98 and some games.
CIH virus infects Windows 95 and 98 EXE files. After an infected EXE is executed, the virus will stay in memory and will infect other programs as they are accessed.
The virus contains a destructive activation routine: When it triggers, the virus overwrites the beginning of the hard drive with random data. In addition, the virus will try to overwrite the Flash BIOS chip of the machine. If this succeeds, the machine will be unable to boot at all unless the chip is reprogammed. The Flash routine will work on Pentium machines based on the Intel 430TX chipset and compatibles. Affected machines will need to have their Flash BIOS removed and reprogrammed in a modern ROM burner, i.e. take them to a repair shop.
On most motherboards, the Flash BIOS can be protected with a jumper. By default, protection is usually off.
CIH does not infect or activate under Windows NT.
There are three known, closely-related variants: CIH v1.2 which activates on April 26th, CIH v1.3 which Activates on June 26th, and CIH v1.4 which activates on 26th of every month.
As this virus is already known to be in the wild, and it has a destructive activation routine it is a threat to PC users and should be protected against as soon as possible.
F-Secure Anti-Virus has been updated to handle CIH, by means of definition updates for the AVP scanning engine. These are available at:
Additional information on computer viruses is available at