Program to scan and clean Win95.CIH (Spacefiller) virus.

CleanCIH Ver 1.6 - October 99

Program to detect and clean Win95.CIH Virus

This description is compiled from Proland Software sources

Strona
po polsku

usage

download

restore disk

back

Win95.CIH is a new virus that infects 32-bit Windows 95, Windows 98 and Windows NT executables files having the .EXE extension. When an infected program is run in a Windows 95 or Windows 98 computer, it infects the computer and becomes memory resident. The infected program will not work properly on a Windows NT computer. Once the virus becomes memory resident, it infects all the 32-bit EXE files opened. So the virus spreads to all files executed and also copied.

The size of the virus code is quite small and it is about 1000 bytes. The virus will not increase the size of the infected file. It uses an unique method to copy its code to the infected file. It fills up the unused space available in the 32-bit EXE file (PE format) with its code. If the virus can not find a single continuous large enough empty space to copy itself, it will slice itself up to many pieces and place them in the smaller empty slots. This virus is also known as Win95.Spacefiller for this behaviour. The virus alters the header entry point to the beginning of the virus code and builds the broken up parts to one piece of code when the EXE file is run. The virus code contanins the text "CIH", so it gets this name.

Win95.CIH virus has a dangerous payload that will trigger on the 26th of April or any month, depending upon the variant of the virus strain. This virus can damage the contents of the BIOS flash memory chip. Most of the new computers sold (80486 and later CPUs) have their BIOS programmed into the flash memory chips. Win95.CIH writes garbage to the flash memory chip if the chip is write-enabled. Many PC manufacturers leave the flash memory chip write-enabled. If this happens the computer will become unusable until the contents of the chip are restored or the motherboard is replaced. After damaging the BIOS the virus also makes the data in all the hard disks unreadable. Win95.CIH bypasses all types of BIOS protection mechanisms to do its destructive job. Because of these characteristics this is surely one of the most damaging virus.

Variants of the virus

There are three variants (1.2, 1.3 and 1.4) of Win95.CIH virus. These variants can be identified from the text string present in the virus code. The variants 1.2 and 1.4 are reported to be in the wild and spreading. Win95.CIH.1.2 and 1.3 do the damage on 26th of April only and Win95.CIH.1.4 does it on the 26th every month. Win95.CIH.1.4 is also the most frequently reported variant.

CleanCIH.EXE version 1.6 will detect and remove all these variants.

Usage  :  CleanCIH <Path> <Options>
Options: /AUTOCLEAN for Automatic disinfection
         /PROMPT for Prompting before disinfection
Example:
  CleanCIH C:\ to check the entire C drive.
  CleanCIH C:\WINDOWS to check the C:WINDOWS directory.
  CleanCIH C:\ /AUTOCLEAN to check and clean the entire C drive.
  CleanCIH C:\ /PROMPT to check and prompt before cleaning the entire C drive.

Download from this site CleanCIH.exe (21KB)

Download from Proland site CleanCIH.exe

Fix-CIH program restores FAT32 disks after WinCih attack.
Freeware by Steve Gibson
Download from this site Fix-CIH.exe (21KB)

Download from Steve Gibson site Fix-CIH.exe

This program is a part of Protector Plus Anti-virus Software (c) Proland Software, 1998

For comprehensive protection of your computers and networks install Protector Plus Anti-virus Software.

You can download 30 days Evaluation copies of Protector Plus from http://www.pspl.com

Protector Plus Anti-virus Software is available for Windows 95/98, Windows NT, Windows 3.x, DOS and NetWare.

CleanCIH is a free service provided by Proland Software to computer users all over the world to prevent the spread of this deadly virus.

For more information on Proland Software and the products we offer please visit http://www.pspl.com

Please mail your feedback and enquiries to sales@pspl.com

Back to previous page

You are the visitor since 14 December 1998