Symantec Fights Back
Fix for Chernobyl virus from major anti-virus vendor
|
ITINFO Sponsor New Release: The Training Book ITrain has limited pre-release copies of a brand new book for trainers: The Training Book, the handbook for trainers. Step-by-step, you'll learn how to focus on learners' needs and exceed their expectations every time, add punch to your presentations, and create truly great training materials. |
|
Symantec Releases Chernobyl Fix
by Dave Murphy
ISSN 1535-3613
The following details are excerpted from Symantec's website.
Information and Protection for W95.CIH (Chernobyl) virus: KILL_CIH.EXE Tool
Introduction
The KILL_CIH tool is designed to safely detect and remove all known strains of the W95.CIH (Chernobyl) virus (known strains as of August 3d, 1998) from memory under Windows 95 and Windows 98 (the W95.CIH virus cannot infect Windows NT systems). If the tool is run before the virus has infected the system, it will also "inoculate" the computer's memory to prevent the W95.CIH virus from infecting the system until the next system reboot.
Note: If you are already infected with the W95.CIH virus, run the KILL_CIH tool first before attempting to update your anti-virus definitions or scan your system. If you attempt to scan with an anti-virus product without first running this tool, you run the risk of causing your infection to spread. Once you have used this tool, you can safely update your Norton AntiVirus definitions and scan your machine.
The KILL_CIH tool will not detect or remove the W95.CIH virus from files; it will only disable the virus in memory so that an anti-virus program can remove the infection without inadvertently spreading the virus. You can obtain a freeware version of Norton AntiVirus to detect and remove the virus from files on the Symantec website.
This CIH removal tool can be run from either the DOS command line or from a login script, allowing an administrator to automate the disinfection process. This means that an administrator does not have to go to each workstation on their network and reboot from a clean floppy in order to clean the computer. After using this tool, you should update your virus definitions and then start a complete scan of the computer with an anti-virus program such as Norton AntiVirus. This will eliminate the virus and repair any damaged files. The tool itself is designed to avoid infection by the virus and can safely be run without becoming infected if the virus is already resident on a computer.
Download
KILL_CIH.EXE
File name: KILL_CIH.EXE
File size: 24K
KILL_CIH.TXT
File name: KILL_CIH.TXT
File size: 5K
W95.CIH Background (Chernobyl)
CIH is a virus that infects 32-bit Windows 95/98/NT executable files. When an infected program on a Windows 95/98 machine is run, the virus will infect the computer's memory. Although NT system files can be infected, the virus cannot activate on the system while running Windows NT, and memory won't be infected. CIH then infects new files when they are opened. Some variants of the virus activate on April 26th or June 26th, while other variants will activate on the 26th of every month. This virus will write-over the first 1MB of the hard-disk with random data. This virus will also attempt to modify or corrupt certain types of Flash BIOS, software that initializes and manages the relationships and data flow between the system devices, including the hard drive, serial and parallel ports and the keyboard. By overwriting part of the BIOS program, the virus can keep a computer from starting up when the power is turned on.
The virus infects by first looking for empty, unused spaces in the file; then, it breaks itself up into smaller pieces, and hides in these unused spaces. Norton AntiVirus is able to repair an infected file by looking for these viral pieces and removing them.
Usage
To use the KILL_CIH tool, use any *one* of the following methods:
- Double click on the file from your desktop or Explorer.
- Run KILL_CIH.EXE from a DOS box.
- Use the "Run" command from the Windows Start menu.
- Place the KILL_CIH.EXE in a standard login script.
After running this tool, update your virus definitions and initiate a scan with Norton AntiVirus or another anti-virus product that is capable of removing the W95.CIH virus from files.
The KILL_CIH.EXE program requires no command line arguments. It will display one of several different messages upon completion:
"The W95.CIH virus was found in memory. The W95.CIH virus has been successfully disabled. You can now run the Norton AntiVirus to remove any infections from files."
This message is displayed if any strain of the W95.CIH virus is found in the computer's memory. The tool has disabled the virus in memory and will prevent it from causing damage to the system or infecting any additional files. At this point, it is safe to run Norton AntiVirus or another anti-virus program to remove the virus from the system.
"The W95.CIH virus was not found in memory."
This message is displayed if no known strains of the W95.CIH virus are found in memory. The tool has inoculated the computer and will prevent the virus from infecting system memory if an infected file is run during the remainder of the computer session (until reboot). At this point, it is safe to run Norton AntiVirus or another anti-virus program to remove the virus from the system.
What do you think about the Chernobyl virus? Leave your comments on the message center.
Damar Group, Ltd. helps business use technology.
ITINFO is again accepting sponsors. Sponsor messages are included in ITINFO's email newsletter and are permanently posted to DGL's website and online reference areas.
ITINFO is an electronic publication of Damar Group, Ltd., publisher of Training Express computer learning guides. Comments and submissions to info@dgl.com.
Previous issues are on our website at http://dgl.com/itinfo/.
updated May 9, 1999
http://dgl.com/itinfo/1999/it990509.html
Return to DGL homepage
Copyright © 1999, Damar Group, Ltd., All Rights Reserved