Solved

W95/CIH.1003a   Virus

Posted on 2000-04-15
25
384 Views
Last Modified: 2012-06-22
I have scanned my system with a mcafee virus scanner and found that I have this virus in my DDHELP.EXE, RNAAPP.EXE, SPOOL32.EXE, TAPISRV.EXE, WMIEXE.EXE, mcaeng.exe, INETSW95.EXE, SYSTRAY.EXE, TASKMON.EXE. Mcafee says to delete the files and reinstall, but how do I delete the files and reinstall them because most of them Windows uses to operate?
0
Comment
Question by:B112874
  • 10
  • 6
  • 5
  • +3
25 Comments
 
LVL 4

Expert Comment

by:tituba2
Comment Utility
You might want to read about a utility that might help at
http://www.symantec.com/region/uk/avcenter/venc/cih.html
0
 
LVL 1

Expert Comment

by:Moresca
Comment Utility
B112874:
A quick and dirty workaround to this would be to boot from a safe floppy, then simply overwrite the infected versions with the originals from the CD.
Since you're booting from a write-protected uninfected floppy, you don't give the virus a chance to load and then do the copying.  At your next reboot all should be well.
0
 

Author Comment

by:B112874
Comment Utility
Moresca, give more info on how to do what your talking about.
0
 
LVL 1

Expert Comment

by:Moresca
Comment Utility
B112874:
1st step, boot from a bootable floppy; I.E. DOS boot disk, Windows Rescue Disk, etc.  Make sure it is write-protected.  (looking from back of diskette, little tab should be pressed down so you can see through the hole).
After you bootup using the diskette, just copy the original files from whatever source you used to initially install over the infected files in their respective locations.
What version of Windows are you running?
0
 

Author Comment

by:B112874
Comment Utility
Win 98SE 4.10.2222A. How do you make DOS boot disk or Windows rescue disk? I have a Windows boot disk and a Windows start up disk.
0
 
LVL 15

Expert Comment

by:hewittg
Comment Utility
If you have problems with the above look at this site.  It will clean your system.

Glenn

http://www.symantec.com/avcenter/kill-cih.html
0
 
LVL 47

Accepted Solution

by:
dbrunton earned 300 total points
Comment Utility
You have the Windows boot disk or Windows start up disk.  These will probably start the computer up in place of the dos boot disk.  Make sure the write protect has been enabled on the Windows boot disk and see if the computer will start up on it.

If the computer starts correctly then you should see something like the following.

A:\ >

If this occurs you have your dos boot disk.  

******

Reboot your computer without the boot disk and go onto the net.  You need to obtain a dos based anti-virus utility.  There are two that will do the job.  These are

AVP lite available from

http://www.avp.com

or

f-prot

which you will have to do a search for on the net.

Obtain either of these and install them and place them into a folder on your C:    I suggest you use the folder virus.

Because these are DOS based utilities the virus will not infect them.

***********************

Now reboot the computer from the floppy disk

After the A:\ > shows type the following in.


C:                     press the Enter key
cd \virus           press the Enter key

The screen should show C:\virus >

To use f-prot type

f-prot                 and press the Enter key and follow the instructions

To use avplite type

avplite :*           and press the Enter key.
0
 

Author Comment

by:B112874
Comment Utility
dbrunton I downloaded the avplite and rebooted with my boot disk and after the A: typed C: and so on. I then typed avplite:* and it came up with the options list, but how do I get it to run? Every command I typed it kept saying bad command or file name.
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
There is meant to be a space between the
avplite and the :*

avplite      :*


This checks all hard disks.
0
 

Author Comment

by:B112874
Comment Utility
Ok, dbrunton I did that and all it scanned was 1 file, 1 archive, 1 directory for a total of 1867 kilobytes. It said no virues found. What now?
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
Hmmm.  I think their documentation is incorrect.  Try this.

avplite           c:\*.*

I tried this on my machine and it works.  Note that it is c:\*.* and that there is a . between the two *
0
 
LVL 5

Expert Comment

by:nfroio
Comment Utility
NOTE: If you do not solve this issue by 4/20/00, I would highly suggest that you DO NOT, repeat, DO NOT, turn on your pc on Thursday.

Chernobyl, CIH, is usually, time-bomb triggered to detonate on 4/20 of every year, it happened to 2 friends last year, thankfully, they both had new  Dells, under warrenty, and Dell was kind enough to replace their hdd's/

nfroio
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:B112874
Comment Utility
dbrunton Ok that worked and it found 173 EXE. progams that were infected, now what do you type in to clean (fix) them?
0
 

Author Comment

by:B112874
Comment Utility
nfroio, don't turn on the computer just on 04-20-00? Can I turn on the computer after that?
0
 
LVL 5

Expert Comment

by:nfroio
Comment Utility
From all that I have read, CIH (Taiwan origin version), will only detonate when your system BIOS shows a 4/20 date. It can fooled however by changing the date of your system before 4/20, to a date after 4/20, and all should be well.

Although, ridding your system of CIH, would be the best possible alternative, I just got a call from a friend who's system was blasted last year, and I told him to change his system date to 5/17, then to change it back after 4/21, just to be safe.

Even if you think that you have rid your system of the Chernobyl virus, I would still suggest that you either
a. just leave it alone from 12:00midnight 4/20 until 12:01am 4/21.
b. change the date today or tomorrow to a date way past 4/20.

4/20 is the trigger date, and the name of the virus to *celebrate* the meltdown of Chernobyl Nuclear Plant in USSR.

 
0
 
LVL 5

Expert Comment

by:nfroio
Comment Utility
Ooooops, wrong date: APRIL 26 is trigger. Follow above if worried, but replace 4/20 w/ 4/26. :-)

Too many things happened on previous April 20 (Columbine, Waco, Hitler, etc.)

From Sophos.com website:

10th March 1999

Network nuke set to blow 26 April 1999

Virus will trigger on thirteenth anniversary of Chernobyl disaster

CIH (Chernobyl) detected?

Sophos is warning computer users to be on their guard against CIH, a
hardware-attacking computer virus. The best-known and most widespread variant of the virus is set to go off on 26 April, the thirteenth anniversary of the Chernobyl meltdown.

The virus, which was first identified in mid-1998 and has since dominated the Top Ten Virus table, is able to wipe out the user's hard disk and to overwrite the computer BIOS chip, making the computer unusable.

In response to anxieties about CIH, Sophos has produced a CIH disinfection utility. This Utility requires SWEEP for DOS which can be downloaded free from our evaluation page.

Sophos has also produced compiled a list of Frequently Asked Questions (FAQ) and is urging individuals and businesses to double-check anti-virus policies.

The hardware-attacking warhead of CIH certainly puts it at the top of the
 nastiness league', said Paul Ducklin, Head of Research at Sophos. 'Hopefully, this will focus the attention of users and administrators on the fact that the best form of defence against viruses is not to get infected in the first place. Anyone without preventative measures in place should act at once.'

Below is the Inside Track on CIH, a Sophos FAQ.

The inside track on CIH

Sophos FAQ

What is CIH?
CIH is a family of computer viruses which infect Windows 95/98 programs. If you run an infected program on your computer, the virus will become active and begin to copy itself into other programs (EXE files) on your system. The virus usually replicates very quickly, so you will probably soon have hundreds of infected files on your computer.

How is CIH spread?
Any program you receive from outside your computer could potentially be
infected. Once you are infected, the virus will soon spread throughout your
computer, and so the chance of your passing an infected file to someone else is high.

How common is it?
Even though the first reports of CIH appeared only around the middle of 1998, the virus reached the Number Two spot on the Sophos Virus Top Ten for the whole of 1998. It was third in January 1999, and fourth in February 1999. This means it is very common indeed.

Why is it so widespread?
Programs infected with CIH have been seen on a number of cover CDs from
reputable magazines, and on a number of reputable websites. This has certainly helped the virus achieve wide distribution.

What does CIH do?
Normally, CIH simply spreads itself. But on certain trigger dates, it detonates its warhead. The warhead wipes out your hard disk, and then tries to overwrite the computer's BIOS chip. Once the BIOS is overwritten, you will be unable to use your computer at all. Repair involves physically removing the BIOS chip and replacing it with a fresh one. On some computers, the BIOS chip is not removable, so it can only be replaced by swapping the entire motherboard.

What are the trigger dates?
There are several variants of CIH, with different trigger conditions. The best
known, and most widespread, variant will detonate on 26 April. Other variants detonate on 26 June, or even on the 26th of any month.

Which operating systems are vulnerable?
CIH spreads under Windows 95 and Windows 98. DOS and Windows 3.x cannot spread CIH because they cannot run Windows 95/98 programs. Windows NT cannot spread CIH because the virus uses programming tricks that do not work  under NT. The virus can infect Windows NT programs, but such programs will no longer run, and will therefore not be infectious themselves .

How can I prevent it?
Use reputable anti-virus software which can accurately identify CIH. Use the
preventative component of your anti-virus software, not just the component that can detect viruses. Your goal is not just to avoid having your computer damaged by CIH on 26 April, but to avoid being infected at all - by CIH or any other virus.

Where can I get anti-virus software?
Go to the Download section of this website. You can download Sophos Anti-Virus  free of charge. But don't just get it, use it!


Hope that helps, now, gotta call friend, and advise of **REAL** detonation date...

nfroio
0
 

Author Comment

by:B112874
Comment Utility
Thanks, for the info. You wouldn't by chance have any ideas on how to get rid of it on your system would you?
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
avplite    /-        c:\*.*


Note the  /-

0
 
LVL 5

Expert Comment

by:nfroio
Comment Utility
Other than commercial virus sweepers (Norton, McAfee), the ones that have been suggested here should work, albeit the directions given are vague at best.

You could also check your Motherboard docs for a jumper that will disable writing to the system BIOS, a major cause of CIH infestation, and just remove that jumper until after the detonate date. See the URL's below for more specific info, including downloads to rid yer sys of CIH.:

http://www.sophos.com/downloads/swcih.html
----> This is the best one in my humble opinion.

http://www.datafellows.com/cih/

http://www.cert.org/incident_notes/IN-99-03.html

http://www.pspl.com/download/cleancih.htm

Good Luck.

nfroio
0
 
LVL 5

Expert Comment

by:nfroio
Comment Utility
B,

I talked w/ a couple of other folks last night who had the CIH virus, and they used the antivirus software that dbrunton has suggested and is giving you directions for, and they said that it worked great.

They did state however, that the directions were less then satisfactory, but I think that dbruntons explanation is right on from what I have read, although, I would still suggest to you, just in case, to avoid the use of the possibly affected pc on the detonation date - 4/26.

Good Luck,

nfroio
0
 
LVL 5

Expert Comment

by:nfroio
Comment Utility
>>albeit the directions given are vague at best.

I meant the softwares directions folks, not the ones here.

just in case, not trying to offend, just help. :-)
0
 

Author Comment

by:B112874
Comment Utility
OK, It's finally gone. I have scanned my system with three different virus scanners and nothing was found. The AVPLITE was nice, but it was very slow in DOS. At least it got rid of my problem. I appreciate all the time that you spent with me on this problem dbrunton especially on the commands you have to type to get the damn thing to do what you want it to do. I don't know what I would have done without Experts-Exchange and your input.
Thanks,
Brent
0
 

Author Comment

by:B112874
Comment Utility
Sorry, I didn't mean to post it twice. I guess I was just excited that the virus is gone.
Thanks
Brent
0
 

Author Comment

by:B112874
Comment Utility
Thanks, nfroio for the info
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
Thanks for the points.

Try and get f-prot as well.  It is free for personal use and a little easier to use than avplite.

It is best to have two different virus scanners in case one does not detect as well as it should do.

I have found that the McAfees Windows product does not tend to find all viruses when scanning but finds them when you try to open or run an infected file.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Upper back Pain: My back hurt for months. Upper back, mostly my neck, spine and across my shoulder blades. I was getting headaches too, that felt like they were caused by tension in my shoulders, but now I feel fine! I'm sharing this hoping someone…
In this article we have discussed the manual scenarios to recover data from Windows 10 through some backup and recovery tools which are offered by it.
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now