W95.CIH
VirusName:
W95.CIH
Aliases:
Chernobyl, PE_CIH, WIN95:CIH 1.x,
Win95.CIH,
Win32/CIH, Win32.Cih, W95/CIH.1003
Infection Length:
~1K
Area of Infection:
Windows 95 Portable Executable (PE) files
Likelihood:
Common
Characteristics:
EXE, Windows, Memory Resident
Target Platform:
Windows 95
Target Date:
26th of the month
Description:
W95.CIH is a virus that infects Windows 95 executables
(files with .EXE
extension). When an infected program is run, the virus
goes memory
resident. W95.CIH then infects new files when they are
opened (e.g. when
they are run or copied). This means that an infected
system must be
rebooted from a clean system disk before scanning with
NAV, or any
anti-virus product -- if this is not done, the virus will
infect every file that
the anti-virus product scans.
Infected files are the same size as the original files,
due to W95.CIH's
unique mode of infection: First, it looks for empty,
unused spaces in the
file; then, it breaks itself up into smaller pieces, and
hides in these unused
spaces. NAV is able to repair an infected file by looking
for these viral
pieces and removing them from the file.
W95.CIH has a destructive payload that is triggered on the
26th of the
month; this payload may cause the entire contents of the
system's hard
drive to be lost.
Write-up by: Darren Kessner
July 8, 1998
0843: How to Remove the W95.CIH Virus
A new computer virus exists which infects only Windows 95/98 machines. This
virus is only detected by the
most current versions of anti-virus programs. Please contact the manufacturer
of your virus protection
software to make sure that your program can detect W95.CIH.
W95.CIH is designed to activate on the 26th of any month and trash the files
on the computer it has
infected. Here is one way to remove W95.CIH from your computer:
To remove the W95.CIH virus
1.Create a c:\virus directory on your hard drive.
2.Download the navc10.exe file to your c:\virus directory from Symantec's
ftp site
ftp://ftp.symantec.com/public/english_us_canada/products/norton_antivirus/ver3_win3x/scanner/navc10.exe
3.After the file has downloaded to your hard drive, go to Start and select
Shutdown.
4.Select Restart the computer in MS-DOS mode and click Yes.
5.At the DOS prompt, type the following commands (Press your ENTER key
after each line):
C:
CD \VIRUS
NAVC10
6.The computer will prompt you with: UnZip files? [Y:N] type Y
7.Then type:
NAVC /DOALLFILES /REPAIR /ZIPS
Note: If you downloaded navc10.exe to a directory other than c:\virus,
you will need to modify CD
\VIRUS to the correct directory.
Please wait while this program searches for the W95.CIH virus on your
computer. This program will remove
any traces of this virus found on your computer.
Please Note: This will remove W95.CIH from you computer, but it WILL NOT
protect you from re-infecting
your computer. Again, MindSpring would like to strongly recommend that
everyone select and use an
anti-virus program to prevent viruses from infecting your computer!
Oguz OKTAR wrote:
> Listeye HDD Problemi baslikli bir mail atmistim. Burada anlattigim problem
> bu gun meydana geldi. (26.04.99) Ben bundan da supheleniyorum. Bazi aylarin
> 26 sinda aktif oluyormus.
>
> >cernobil diye bir virus bugun aktif olmus ve bu illet bilgisayarlarin
> bioslarini siliyormus ..Bu virus hakkinbda bilgisi olan birileri varmi
> burada
>
>
> Listeden cikmak icin:
> unsub linux
> mesajini listeci@bilkent.edu.tr'a gonderiniz.
> Lutfen Listeci icin MIME / HTML / Turkce Aksan kullanmayin.
> Liste arsivinin adresi: http://listweb.bilkent.edu.tr/
Listeden cikmak icin:
unsub linux
mesajini listeci@bilkent.edu.tr'a gonderiniz.
Lutfen Listeci icin MIME / HTML / Turkce Aksan kullanmayin.
Liste arsivinin adresi: http://listweb.bilkent.edu.tr/