发信人: bluesea()
整理人: emil(1999-02-04 00:07:05), 站内信件
|
Win95.CIH FAQ What is this Win95.CIH virus, what does it do ? I think my PC may be infected... how do I find out? How can I disinfect my PC from Win95.CIH with build 120 Build 120 only: Why do I have to go into command line mode for proper disinfection? After disinfection, I still find traces of CIH in some files (notably the "CIH" string), but a scan shows the files as clean. Is Kaspersky Lab working on making it easier to remove this virus (without having to go through e.g. command line mode) ? Ouch - it's too late! Win95.CIH has left my machine in unbootable state. What can I do? How can I prevent the possible damages Win95.CIH may cause?
What is this Win95.CIH virus, what does it do ? A detailed description is available in the AVP Virus Encyclopedia I think my PC may be infected... how do I find out? NEW: if you use build 122 of AVP 3.0/32 you do no longer need to go through the procedure of using the DOS version! AVP32 build 122 has improved abilities to disinfect Windows viruses, including the CIH virus. First of all, AVP32 will detect and disinfect the CIH virus in system memory. The virus code will stay in Windows memory, but will get patched in such a way that the virus would not be able to infect new files or prevent file disinfection. AVP32 then scans itself for the virus infection. If it is infected, AVP32 will disinfect itself, restart and re-scan the Windows memory - this is necessary to be sure that the scanning procedure will be processed under a disinfected system environment. Select all disks and run AVP32 scanning procedure. While scanning AVP32 will detect all infected files and prompt about disinfection. Let it do that - the latest build disinfects the CIH virus with no virus traces left in files. If there are infected files run the same time AVP32 scans them, AVP32 would fail to disinfect them because Windows95 does not allow to open such files for writing. In such cases AVP32 will create FILENAME.EXT.AVP temporary copies and disinfect them. The list of these files is saved in a special reference file that will be used by AVP32 on next rebooting. When the scanning process is complete, AVP32 looks for files that were not disinfected because of read-only mode. If there are such files, AVP32 modifies the C:\AUTOEXEC.BAT file with a call for AVP32 DOS helper. AVP32 then prompts about rebooting your system - do it. On rebooting the modified AUTOEXEC.BAT executes the AVP32 DOS helper that will restore all infected files with their disinfected images (long names are preserved). If you are using build 120 of AVP...: Download AVP 3.0 for Windows95/98 (avp32120.zip) AND AVP 3.0 for DOS (avpd120.zip). Have a DOS based Unzipping utility ready (e.g. PKUNZIP 2.04g from PKware). Reboot your PC - during the startup process, press "F8" and select the Command-line prompt option to avoid loading win95/98. At the command prompt, unzip the archive avpd120.zip into a temporary directory and run the Installer from there, which will copy all the necessary files to e.g. c:\avp30 Change to that directory and run either AVP.EXE or AVPLITE.EXE e.g. avplite.exe c:. If your PC is infected you should see a lot of the Windows Executable files marked as infected. If you have run AVP 3.0 for Windows95/NT already and got numerous infection messages, then you should directly go to the disinfection instructions. How can I disinfect my PC from Win95.CIH when using build 120 If you already use build 122 of AVP 3.0 for Windows95/98/NT see the section above on how it works now. If you run AVP 3.0 for Windows95/NT build 120 and use it to disinfect Win95.CIH it might not be able to disinfect files which are currently in use, and you risk the AVP 3.0 for Windows95/NT does get infected too. Aug-04-98: Kaspersky Lab has developed a special update-base which removes any left-over CIH-traces (only use if you have done your cleaning with build 120/119 or another anti-virus program. If you use build 122, there will be no traces left. The safe process to disinfect Win95.CIH is as follows: Reboot your PC and enter Command line mode as shown above. Install AVP 3.0 for DOS as shown above and change into the AVP program directory. (e.g. cd \avp30) Run AVP.EXE or AVPLITE.EXE (avplite uses less memory, but is command line only). In AVP, select the option to disinfect. In AVPLite (and AVP too) you can get a list of possible commands by typing avplite /? . To disinfect with AVPLite type e.g. avplite /- c: which will start disinfection on drive c: Once disinfection is completed you can reboot your PC and go into win95/98 again. Reinstall AVP 3.0 for win95/NT (to make sure that all it's files are intact) and scan your PC again (including any "archive" files). Why do I have to go into command line mode for proper disinfection? AVP 3.0 for win95/98 cannot disinfect files that are currently in use because the operating system blocks deleting/writing to Windows executable files that are currently in use. By using the DOS version of AVP and running it in command-line mode (NOT a full-screen DOS session with win95/98 active), you make sure that there are no file-locks on Windows executables. Build 122 of AVP 3.0 makes a copy of the infected file, disinfects that copy, reboots the PC and then will auto-replace the infected file with the previously disinfected copy! After disinfection, I still find traces of CIH in some files (notably the "CIH" string), but a scan shows the files as clean CIH puts it's code into multiple locations in a file, whereever it finds a cave, which makes the cleaning task pretty difficult. AVP removes most of the virus code, but may leave occasionally some traces back in the file. The Win95.CIH virus however is destroyed and cannot be activated again from such files. Note from the development team: we are going to release a special update that will clean these traces that AVP and other antivirus programs leave over... and, this special update is now available!: Download the file upcih.zip, unzip into your AVP program directory and follow these instructions: If your computer was infected by Win95.CIH and then disinfected, there might be "traces" of the virus found in disinfected files - blocks of virus code and the "CIH TATUNG" or "CIH TTIT" text strings. These traces are absolutely harmless and cannot spread the virus, corrupt data or interfere with other software in any way. If you do not like these virus traces and want to clean them, you should add the reference for this update to your AVP.SET file and scan your disks; otherwise see the the new features of build 122. If executable files with the virus traces will be found in files, AVP will inform you and request for cleaning these files. After cleaning the computer you should delete this update and the reference in the AVP.SET - you do not need it anymore. If you are unfortunate and get the CIH infection again, you should use standard the AVP32 build 122 package, which removes the CIH viruses without leaving any left-overs! Is Kaspersky Lab working on making it easier to remove this virus (without having to go through e.g. command line mode) ? Yes, of course. Build 122 now does the following: Run AVP. It will carefully scan Windows memory, detect the virus copy, and patch it so that the virus would not be able to infect other files. AVP32 then scans itself and detects if the virus has infected it. AVP cannot disinfect running applications, so it creates a copy of itself, disinfects it, executes it and exits. The new copy locates its host file, detects that it is a disinfected copy, copies itself back to the original one, executes and exits. AVP then locates the disinfected copy and deletes it. AVP is clean, memory is disinfected. Scan your hard drive. Any infected file that is allowed for writing will be disinfected with no virus traces. All read-only (running now) files will be copied with .AVP extension (NOTEPAD.EXE.AVP) and disinfected. Reference for these files is placed to a batch file that is executed on next boot-up. AVP then modifies C:\AUTOEXEC.BAT to run this batch helper automatically. AVP will ask about rebooting your system. Do it. Wait. Your system is clean! Ouch - it's too late! Win95.CIH has left my machine in unbootable state. What can I do? Some earlier motherboards had an emergency boot-up routing, that could be activated by changing a jumper on the motherboard. This allowed to boot from a floppy and reflash the BIOS with new code. Newer motherboards often have a jumper to disable BIOS "flashing". However it seems, that on some motherboards, this jumper has no effect at all. And yet other motherboards don't offer such a protection at all (for economical reasons). Check your motherboard's manual and your motherboard manufactures web-site for more information. You may have to return your motherboard to the manufacturer or get it replaced entirely. How can I prevent the possible damages Win95.CIH may cause? To prevent Win95.CIH from being able to do it's nasty business, you have a couple of options: If possible, try to make sure, that the Jumper to write to Flash Memory is correctly set to disable "flashing" the BIOS (This might have no effect, depending on your motherboard though) Check your system with AVP 3.0 before a date on which Win95.CIH triggers (and of course remove Win95.CIH !) Prevent from getting infected at all by checking all files before you run them on your system.
-- 水木清华BBS病毒讨论精华区、乱码大全、让PWindows95更顺手…… http://www.nease.net/~bluesea
※ 来源:.广州网易 BBS bbs.nease.net.[FROM: 210.74.180.169]
|
|