发信人: bluesea()
整理人: emil(1999-02-04 00:07:05), 站内信件
|
Win95.CIH FAQ
What is this Win95.CIH virus, what does it do ?
I think my PC may be infected... how do I find out?
How can I disinfect my PC from Win95.CIH with build 120
Build 120 only: Why do I have to go into command line mode for proper
disinfection?
After disinfection, I still find traces of CIH in some files (notably the
"CIH" string), but a scan shows the files as clean.
Is Kaspersky Lab working on making it easier to remove this virus (without
having to go through e.g. command line mode) ?
Ouch - it's too late! Win95.CIH has left my machine in unbootable state.
What can I do?
How can I prevent the possible damages Win95.CIH may cause?
What is this Win95.CIH virus, what does it do ?
A detailed description is available in the AVP Virus Encyclopedia
I think my PC may be infected... how do I find out?
NEW: if you use build 122 of AVP 3.0/32 you do no longer need to go
through the procedure of using the DOS version!
AVP32 build 122 has improved abilities to disinfect Windows viruses,
including the CIH virus.
First of all, AVP32 will detect and disinfect the CIH virus in system
memory. The virus code will stay in Windows memory, but will get patched
in such a way that the virus would not be able to infect new files or
prevent file disinfection.
AVP32 then scans itself for the virus infection. If it is infected,
AVP32 will disinfect itself, restart and re-scan the Windows memory -
this is necessary to be sure that the scanning procedure will be
processed under a disinfected system environment.
Select all disks and run AVP32 scanning procedure. While scanning AVP32
will detect all infected files and prompt about disinfection. Let it do
that - the latest build disinfects the CIH virus with no virus traces
left in files.
If there are infected files run the same time AVP32 scans them, AVP32
would fail to disinfect them because Windows95 does not allow to open
such files for writing. In such cases AVP32 will create FILENAME.EXT.AVP
temporary copies and disinfect them. The list of these files is saved in
a special reference file that will be used by AVP32 on next rebooting.
When the scanning process is complete, AVP32 looks for files that were
not disinfected because of read-only mode. If there are such files,
AVP32 modifies the C:\AUTOEXEC.BAT file with a call for AVP32 DOS
helper. AVP32 then prompts about rebooting your system - do it. On
rebooting the modified AUTOEXEC.BAT executes the AVP32 DOS helper that
will restore all infected files with their disinfected images (long
names are preserved).
If you are using build 120 of AVP...:
Download AVP 3.0 for Windows95/98 (avp32120.zip) AND AVP 3.0 for DOS
(avpd120.zip). Have a DOS based Unzipping utility ready (e.g.
PKUNZIP 2.04g from PKware).
Reboot your PC - during the startup process, press "F8" and select
the Command-line prompt option to avoid loading win95/98.
At the command prompt, unzip the archive avpd120.zip into a
temporary directory and run the Installer from there, which will
copy all the necessary files to e.g. c:\avp30
Change to that directory and run either AVP.EXE or AVPLITE.EXE
e.g. avplite.exe c:. If your PC is infected you should see a lot of
the Windows Executable files marked as infected.
If you have run AVP 3.0 for Windows95/NT already and got numerous infection
messages, then you should directly go to the disinfection instructions.
How can I disinfect my PC from Win95.CIH when using build 120
If you already use build 122 of AVP 3.0 for Windows95/98/NT see the section
above on how it works now.
If you run AVP 3.0 for Windows95/NT build 120 and use it to disinfect
Win95.CIH it might not be able to disinfect files which are currently in
use, and you risk the AVP 3.0 for Windows95/NT does get infected too.
Aug-04-98: Kaspersky Lab has developed a special update-base which removes
any left-over CIH-traces (only use if you have done your cleaning with build
120/119 or another anti-virus program. If you use build 122, there will be
no traces left.
The safe process to disinfect Win95.CIH is as follows:
Reboot your PC and enter Command line mode as shown above. Install AVP
3.0 for DOS as shown above and change into the AVP program directory.
(e.g. cd \avp30)
Run AVP.EXE or AVPLITE.EXE (avplite uses less memory, but is command
line only). In AVP, select the option to disinfect. In AVPLite (and AVP
too) you can get a list of possible commands by typing avplite /? . To
disinfect with AVPLite type e.g. avplite /- c: which will start
disinfection on drive c:
Once disinfection is completed you can reboot your PC and go into
win95/98 again.
Reinstall AVP 3.0 for win95/NT (to make sure that all it's files are
intact) and scan your PC again (including any "archive" files).
Why do I have to go into command line mode for proper disinfection?
AVP 3.0 for win95/98 cannot disinfect files that are currently in use
because the operating system blocks deleting/writing to Windows executable
files that are currently in use. By using the DOS version of AVP and running
it in command-line mode (NOT a full-screen DOS session with win95/98
active), you make sure that there are no file-locks on Windows executables.
Build 122 of AVP 3.0 makes a copy of the infected file, disinfects that
copy, reboots the PC and then will auto-replace the infected file with the
previously disinfected copy!
After disinfection, I still find traces of CIH in some files (notably the
"CIH" string), but a scan shows the files as clean
CIH puts it's code into multiple locations in a file, whereever it finds a
cave, which makes the cleaning task pretty difficult. AVP removes most of
the virus code, but may leave occasionally some traces back in the file. The
Win95.CIH virus however is destroyed and cannot be activated again from such
files.
Note from the development team: we are going to release a special update
that will clean these traces that AVP and other antivirus programs leave
over... and, this special update is now available!:
Download the file upcih.zip, unzip into your AVP program directory and
follow these instructions:
If your computer was infected by Win95.CIH and then disinfected, there might
be "traces" of the virus found in disinfected files - blocks of virus code
and the "CIH TATUNG" or "CIH TTIT" text strings. These traces are absolutely
harmless and cannot spread the virus, corrupt data or interfere with other
software in any way.
If you do not like these virus traces and want to clean them, you should add
the reference for this update to your AVP.SET file and scan your disks;
otherwise see the the new features of build 122. If executable files with
the virus traces will be found in files, AVP will inform you and request for
cleaning these files. After cleaning the computer you should delete this
update and the reference in the AVP.SET - you do not need it anymore. If you
are unfortunate and get the CIH infection again, you should use standard the
AVP32 build 122 package, which removes the CIH viruses without leaving any
left-overs!
Is Kaspersky Lab working on making it easier to remove this virus (without
having to go through e.g. command line mode) ?
Yes, of course. Build 122 now does the following:
Run AVP. It will carefully scan Windows memory, detect the virus copy,
and patch it so that the virus would not be able to infect other files.
AVP32 then scans itself and detects if the virus has infected it. AVP
cannot disinfect running applications, so it creates a copy of itself,
disinfects it, executes it and exits. The new copy locates its host
file, detects that it is a disinfected copy, copies itself back to the
original one, executes and exits. AVP then locates the disinfected copy
and deletes it. AVP is clean, memory is disinfected.
Scan your hard drive. Any infected file that is allowed for writing will
be disinfected with no virus traces. All read-only (running now) files
will be copied with .AVP extension (NOTEPAD.EXE.AVP) and disinfected.
Reference for these files is placed to a batch file that is executed on
next boot-up. AVP then modifies C:\AUTOEXEC.BAT to run this batch helper
automatically.
AVP will ask about rebooting your system. Do it. Wait. Your system is
clean!
Ouch - it's too late! Win95.CIH has left my machine in unbootable state.
What can I do? Some earlier motherboards had an emergency boot-up routing,
that could be activated by changing a jumper on the motherboard. This
allowed to boot from a floppy and reflash the BIOS with new code. Newer
motherboards often have a jumper to disable BIOS "flashing". However it
seems, that on some motherboards, this jumper has no effect at all. And yet
other motherboards don't offer such a protection at all (for economical
reasons). Check your motherboard's manual and your motherboard manufactures
web-site for more information. You may have to return your motherboard to
the manufacturer or get it replaced entirely.
How can I prevent the possible damages Win95.CIH may cause?
To prevent Win95.CIH from being able to do it's nasty business, you have a
couple of options:
If possible, try to make sure, that the Jumper to write to Flash Memory
is correctly set to disable "flashing" the BIOS (This might have no
effect, depending on your motherboard though)
Check your system with AVP 3.0 before a date on which Win95.CIH triggers
(and of course remove Win95.CIH !)
Prevent from getting infected at all by checking all files before you
run them on your system.
--
水木清华BBS病毒讨论精华区、乱码大全、让PWindows95更顺手……
http://www.nease.net/~bluesea
※ 来源:.广州网易 BBS bbs.nease.net.[FROM: 210.74.180.169]
|
|