NetSpiders Home
NetSpiders Cyber Army 

(Antivirus Information page)

 
Home Data Recover Ummat News ISPs Support About Us

Win95.CIH

Win95.CIH virus is also known as CIH.Spacefiller virus. Refer Win95.CIH information page for more information on this virus. In MSDOS you will have change the working directory to where CleanCIH.EXE is downloaded. This procedure would be difficult for those users who are not familiar with MSDOS commands. We have given the following instructions to make it easy for such users. If you are familiar with MSDOS you can ignore the following procedure.

a. Download CleanCIH.EXE from:

CleanCIH.exe

Otherwise Download Kill_CIH.EXE from:
Kill_CIH.exe

b. After the downloading is completed, click on the "Start" button and select "Find" option. Then select "Files or Folders" option. In the window that comes up type CLEANCIH.EXE in the BOX next to "Named" and then click "Find Now". Now you can see an entry for CleanCIH.EXE at the lower part of the window highlighted. If you dont see this entry then change the "Look in:" option to "My Computer" and click "Find Now" again. Even now if you dont see the entry you will have to download CleanCIH.EXE again.

c. Move the mouse pointer to the highlighted CleanCIH.EXE entry and click right mouse button. In the menu that appears select "Copy" option and then click the left mouse button.

d. Click on the "Start" button and "Programs" and then select "Windows Explorer". In the window that appears on the left side select "C:" under "My Computer". Click the right mouse button on C: and choose "Paste" option from the menu and then click left mouse button.

e. Click on the "Start" button and select "Shut Down" then choose "Restart the computer in MSDOS mode" and click "Yes". Now the computer will reboot in MSDOS mode and you can see "C:\>" on your screen.

f. Now type the 2 commands mentioned below exactly as they are. Press Enter key after you type in each command.

CD    \

CLEANCIH    C:\      /AUTOCLEAN

Now your computer will be free of Win95.CIH virus. If you have more than one harddisk partition repeat the second command above replacing C:\  with  D:\

Example:

CLEANCIH    D:\      /AUTOCLEAN

You will get this error if you are using CleanCIH.EXE while Windows 95/98 is running. When Windows 95/98 is active it will not let CleanCIH.EXE to open the windows programs that are running (like Explorer.exe). You will have to restart your computer in MSDOS mode and then run CleanCIH.EXE. If you are not familiar with MSDOS refer to question 4 above.

When Windows 95/98 is active it will not let any antivirus software to open the windows programs that are running (like Explorer.exe). The nature of Win95.CIH virus makes it impossible for any Windows 95/98 based antivirus scanner to clean it under Windows 95/98 environment. To overcome this problem we have supplied Protector Plus Antivirus Software with an additional DOS based scanner called CleanPC.EXE. You will have to restart your computer in MSDOS mode and then run CleanPC.EXE. If you are familiar with MSDOS run CleanPC.EXE from the directory where you have installed Protector Plus. By default it will be Progra~1\Protec~1. If you are not familiar with DOS refer to question 4 above.

These problems are occurring may be because of Win95.CIH virus infection. Download Protector Plus Antivirus Software and check the system. You can download Protector Plus from:

http://www.pspl.com/download/download.htm

CleanCIH.EXE is a program developed to manually scan and clean Win95.CIH virus. This program can not monitor continuously to prevent the reappearance of Win95.CIH virus. It will only check your computer when YOU run this program.

If you want to monitor your computer continuously and scan the files automatically when they are downloaded or copied on to your computer, you will have to download and install Protector Plus Antivirus Software.

CleanCIH.EXE is a program developed specifically for Win95.CIH virus. Win95.CIH virus will only infect 32 Bit Windows EXE files. So CleanCIH.EXE will scan only the 32 Bit Windows EXE files. So if you have other types of EXE files in your computer they are not scanned by CleanCIH.EXE. If you want to scan all files for all types of viruses download Protector Plus Antivirus Software.

Yes it can, but the virus will spread under Windows NT environment. If you execute an infected file under Windows NT environment you will get an error. If you are using Windows NT you can have infected files in your computer only if you have copied/downloaded some infected files or if you have installed Windows 95 and Windows NT with dual boot configuration. You can download Protector Plus For Windows NT or CleanCIH.EXE to clean the infected files.

Some versions of Win95.CIH viruses are capable of damaging the BIOS if the BIOS erasing feature is enabled in your computer's motherboard. This will not be the normal case and the damage reported is minimal. If your computer is booting properly, you do not need to worry about the BIOS damage. Even if your computer is not booting, it may be because of some other problems.

Win95.CIH virus will not be active under Windows NT environment. If you are having Win95.CIH infected programs under Windows NT download Protector Plus For Windows NT or CleanCIH.EXE to clean the infected files. Refer question 4 above for more details.

Yes it is possible and CleanCIH.EXE will take care of FAT32 partition also. For detailed procedure of using CleanCIH.EXE refer question 4 above. The current version of CleanCIH.EXE is 1.6, the size of the program is 20878 Bytes.


Basics of CIH 


Aliases:
Win95/CIH, CIH.Spacefiller, PE_CIH. Variants of 1003 and 1019 bytes, and two of 1010 bytes are known.
 
Type:
Fragmented cavity infector utilizing PE section slack space.
 
Infection:
Hooks the Windows 9x file system API.
 
Self-recognition in files:
A non-zero byte immediately before the PE header.
 
Self-recognition in memory:
A non-zero value in DR0.
 
Hex pattern:
All variants.
E800 0000 005B 8D4B 4251 5050
0F01 4C24 FE5B 83C3 1CFA 8B2B
 
Payload:
Overwrites 2048 sectors at beginning of each hard disk and overwrites part of the Flash BIOS boot block.
 
Trigger:
Opening an uninfectable EXE file on 26 April (CIH.1003, CIH.1010.A), 26 June (CIH.1010.B) or on the 26th of any month (CIH.1019).
 
Removal:
Boot from a clean floppy disk, delete infected files and restore from backups.

Regards,

Faisal Anwar.

NetSpiders Cyber Army.

 

Tutorials MIRC Support Tips & Techniques Serial Numbers Faivorate Link

You can also E-Mail us at Web Master
CopyrightŠ2002, All Rights Reserved.

Visit at our Yahoo Group 'NetSpiders'