Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

HELP ME: Virus "W32.CIH.SPACEFILLER"

8 views
Skip to first unread message

logo

unread,
Dec 15, 1998, 3:00:00 AM12/15/98
to
Hi

Please help me!

My computer has a virus "W32.CIH.SPACEFILLER" (size: 1003 Bytes).

What I can do now? McAfee says that I must delete all my .exe files but I
haven't got back up copy :-( It also says that it can not be removed! Is
that so ???? I know that this virus doesn't make any "BIG-harm" but...

Is there any program which can disinfect "W32.CIH.SPACEFILLER" virus???
Please tell me, because I don't want to Format my hd's!

If you have any comments about this case, please reply to my email address.
Please don't repost any software...

REMOVE.T...@pp.inet.fi (please take away ---> "remove.this" )

-logo-

Jeffrey A. Setaro

unread,
Dec 15, 1998, 3:00:00 AM12/15/98
to
[This followup was posted to alt.comp.virus and a copy was sent to the
cited author.]

In article <NKAd2.140$ui6...@read1.inet.fi>, nos...@please.com says...

Any good up-to-date anti-virus program like AVP (http://www.avp.ch) or
F-Prot for DOS (http://www.complex.is) will detect and remove the CIH
virus.

In order to successfully remove the virus your going to have boot your
computer from a clean, write protected, system diskette and run the DOS
version of either AVP or F-Prot from floppy (in the case of CIH a SAFE
MODE Command Prompt will do).

Be sure to include EMM386.EXE & HIMEM.SYS on your boot diskette along
with a CONFIG.SYS that contains the following lines;

DEVICE=HIMEM.SYS
DEVICE=EMM386.EXE /noems
DOS=HIGH,UMB

Instructions for using AVP & F-Prot from floppy.

AVP (http://www.avp.tm) unzip the archive to a clean floppy and write
protect it. After booting the infected machine from a clean boot disk put
the disk containing AVP in to the drive and type: AVP. AVP Uses a menu
driven interface select Local hard disks on the Location menu, and
Display disinfect dialog on the Actions menu then select Search Now.

F-Prot (http://www.complex.is) Copy the files F-PROT.EXE, ENGLISH.TX0 &
*.DEF to a clean floppy and write protect it. After booting the infected
machine from a clean boot disk put the disk containing F-Prot in to the
drive and type: F-PROT /HARD /DISINF

Here is description of CIH from Data Fellows F-Secure Anti-Virus
(http://www.datafellows.com).

Name: CIH
Type: Resident EXE-files
Alias: PE_CIH, CIHV, SPACEFILLER
Origin: Taiwan

CIH virus infects Windows 95 and 98 EXE files. After an infected EXE is
executed, the virus will stay in memory and will infect other programs as
they are accessed.

The CIH virus was first located in Taiwan in early June. After that, it
has been confirmed to be in the wild in at least France, Germany, The
Netherlands, Sweden, China, Israel, Chile and Australia. CIH has been
spreading very quickly as it has been distributed through pirated
software.

It seems that at least four underground pirate software groups got
infected with the CIH virus, and they inadvertently spread the virus
globally in new pirated softwares they released through their own
channels. These releases include some new games which will spread world-
wide very quickly. There's also a persistent rumor about a 'PWA-cracked
copy' of Windows 98 which would be infected by the CIH virus but Data
Fellows has been unable to confirm this.

What makes the CIH case really serious is that the virus activates
destructively. When it happens the virus overwrites most of the data on
the computers hard drive. This can be recovered with recent backups.

However, the virus has another, unique activation routine: It will try to

overwrite the Flash BIOS chip of the machine. If this succeeds, the
machine will be unable to boot at all unless the chip is reprogrammed.
The Flash routine will work on many types of Pentium machines - for
example, on machines based on the Intel 430TX chipset. On most machines,
the Flash BIOS can be protected with a jumper. By default, protection is
usually off.

The CIH virus infects Windows executable files (EXE files). It does not
infect Word or Excel documents. CIH works under both Windows 95 and
Windows 98, but it does not work under Windows NT.

CIH uses a peculiar way of infecting executables. As a result, the size
of the infected files does not grow at all. The actual size of the virus
code is around 1 kB. The virus also employees advanced tricks in jumping
from processor ring 3 to ring 0 in order to hook file system calls.

There are four known closely-related variants:

CIH v1.2 (CIH.1003): Activates on April 26th. This is the most common
variant. It contains this text:

CIH v1.2 TTIT

CIH v1.3 (CIH.1010.A and CIH.1010.B): Activates on June 26th. Contains
this text:

CIH v1.3 TTIT

CIH v1.4 (CIH.1019): Activates on 26th of every month. It is in the wild,
but not particularily common. It contains this text:

CIH v1.4 TATUNG

[Mikko Hypponen/Data Fellows]

Hope this helps. Good Luck.

--
Cheers-

Jeff Setaro
jase...@sprynet.com
http://home.sprynet.com/sprynet/jasetaro
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99

srk...@my-dejanews.com

unread,
Dec 16, 1998, 3:00:00 AM12/16/98
to
Proland Software offers cleancih, a free detection and removal utility for
all variants of this virus. The program is just under 18k. and is available
at http://www.pspl.com/download/cleancih.htm, along with instructions for
it's use.

Hope this is of use.

From Proland Software, the makers of Protector Plus anti-virus software.

> Please help me!
>
> My computer has a virus "W32.CIH.SPACEFILLER" (size: 1003 Bytes).
>
> What I can do now? McAfee says that I must delete all my .exe files but I
> haven't got back up copy :-( It also says that it can not be removed! Is
> that so ???? I know that this virus doesn't make any "BIG-harm" but...
>
> Is there any program which can disinfect "W32.CIH.SPACEFILLER" virus???
> Please tell me, because I don't want to Format my hd's!
>
> If you have any comments about this case, please reply to my email address.
> Please don't repost any software...
>
> REMOVE.T...@pp.inet.fi (please take away ---> "remove.this" )
>

> -logo-
>
>

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own

Herve Kessler

unread,
Dec 16, 1998, 3:00:00 AM12/16/98
to
Lucky you are ! Today is not 26th of April !! If it was the case the CIH will
already have tried to patch your BIOS in flash, with possible success in that :-(
and you will have by the time being to change your Flash IC on your mother board.

This is a VERY BAD virus ! Urgent clean is MANDATORY because some variants are
doing the same at other dates !

Balz

unread,
Dec 17, 1998, 3:00:00 AM12/17/98
to

srk...@my-dejanews.com schrieb in Nachricht
<757kk2$obp$1...@nnrp1.dejanews.com>...

>Proland Software offers cleancih, a free detection and removal utility for
>all variants of this virus. The program is just under 18k. and is available
>at http://www.pspl.com/download/cleancih.htm, along with instructions for
>it's use.
>
>Hope this is of use.
>
>From Proland Software, the makers of Protector Plus anti-virus software.
>
>> Please help me!
>>
>> My computer has a virus "W32.CIH.SPACEFILLER" (size: 1003 Bytes).
>>
>> What I can do now? McAfee says that I must delete all my .exe files but I
>> haven't got back up copy :-( It also says that it can not be removed! Is
>> that so ???? I know that this virus doesn't make any "BIG-harm" but...
>>
>> Is there any program which can disinfect "W32.CIH.SPACEFILLER" virus???
>> Please tell me, because I don't want to Format my hd's!
>>
>> If you have any comments about this case, please reply to my email
address.
>> Please don't repost any software...
>>
>> REMOVE.T...@pp.inet.fi (please take away ---> "remove.this" )
>>
>> -logo-
>>
>>
>
>-----------== Posted via Deja News, The Discussion Network ==----------

>http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own

Use F-Prot

http://www.wdr.de/tv/Computer-Club/zip-files/fp-303.zip

===============
Gruß
Knut Balz
Email: ba...@gmx.de
===============


0 new messages