Home | Site Map | Search | Contacts
About Us
Report Incidents
Incident Statistics
Security FAQS

Search NISER
  NISER > Alerts > MyCERT Advisories & Summaries > MA-001.121998: Christmas Tree Virus

MA-001.121998: Christmas Tree Virus
Original Issue Date: 23rd December 1998


    MyCERT has received a report regarding a possible virus attack from a program called TREE.EXE, that may be infected by a CIH virus. This is a program where you decorate a Christmas tree, but after running it, it will remain dormant until the 26th Dec when it will wipe out anything in your hard drive. It is known to spread through email attachments.

Virus Name: CIH Virus
Primary targets: 32-bit Windows 95/98/NT executable files


    CIH is a virus that infects 32-bit Windows 95/98/NT executable files. When an infected program is run, the virus looks for empty, unused spaces in the file; then breaks itself up into smaller pieces, and hides in this unused spaces.

    On the 26th of any month, the virus will attempt to overwrite the flash-BIOS. When this happens,

    1. the machine will no longer reboot and renders it unusable.
    2. they will also overwrite the hard disk with garbage.

Method of Infection

    The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, email attachment etc. Once the infected file is executed, the virus may activate.


    Scan all files before using them to minimize the risk of infection. If you are ever in doubt about a file you receive, delete it.


    Option 1 (for Windows 95/98)

    • Download the Norton AntiVirus KILL_CIH tool from the web site below. *NOTE that the KILL_CIH tool will not detect or remove the W95.CIH virus from files; it will only disable the virus in memory so that an anti-virus program can remove the infection without inadvertently spreading the virus.


    • To use the KILL_CIH tool, use any *one* of the following methods:

      1. Double click on the file from your desktop or Explorer.
      2. Run KILL_CIH.EXE from a DOS box.
      3. Use the "Run" command from the Windows Start menu.
      4. Place the KILL_CIH.EXE in a standard login script.

    • If the message below appears, then follow the steps in Option 2.

      "The W95.CIH virus was found in memory. The W95.CIH virus has been successfully disabled. You can now run the Norton AntiVirus to remove any infections from files."

    Option 2 ( for Windows NT)

    You must run VirusScan from a clean, virus-free environment. Follow these steps:

    1. Turn off your computer. Do not reset or reboot. Some viruses may remain intact in the computer's memory.

    2. Ensure your clean start-up diskette is write-protected and insert it in drive A:.

    3. Turn on your computer and wait for the system prompt. ( A: )

    4. Remove the clean start-up diskette from drive A:

    5. Insert the original VirusScan diskette into drive A: (If running VirusScan for Windows, you may need to use diskette #2 of 2 or depending on your version of VirusScan, you may have a diskette labeled "Emergency Disk".)

    6. Eliminate the virus(s) on your hard drive(s) by typing the following command at the A: prompt:
      scan c: /clean /all

    7. After the virus has been removed, restart your computer.

    8. If VirusScan was not previously installed, install it now.


Disclaimers and copyright information
Last Update April 19, 2001