CIH virus is a kind of malignant viruses that can destroy the hardware of computer system. It was produced in Taiwan Province Province, and was first widely spread in Europe and America by pirated CDs, and then spread to all corners of the world through the Internet. At present, the main ways of communication are through the Internet and e-mail. CIH virus only infects Windows 95/98 operating system. From the current analysis, it seems that it has no influence on DOS operating system, which may be caused by its use of VxD (Virtual Device Driver) technology under Windows. But Windows95/98 users should pay special attention. It is precisely because of CIH's unique use of VxD technology that this virus spreads in the Windows environment, which is particularly timeliness and concealment, and it is difficult to find this virus by using general antivirus software.
CIH virus will break out on 26th of every month (a version will break out on 26th of April every year). When the CIH virus broke out, on the one hand, it completely destroyed the data on the hard disk of the computer system, on the other hand, it rewritten the BIOS of some computer motherboards. After the BIOS was rewritten, the system could not be started, so we had to send the computer back to the manufacturer for repair and replace the BIOS chip. CIH virus is recognized as the first virus that can destroy computer system hardware, and it is also the deadliest virus in malignant viruses.
From a technical point of view, the virus was compiled with VxD technology, which is the core of Windows95/98 and is considered to be firmly connected to the bottom of the operating system, so the CIH virus will not spread to DOS operating system or Windows NT operating system. This technical feature of CIH virus poses a great challenge for us to use traditional anti-virus technology to prevent computer viruses, because the traditional anti-virus tools we use are basically pure DOS or simulated DOS applications working under Windows95, and cannot go deep into the bottom of Windows95/98 operating system to completely eliminate CIH virus. On the other hand, because it can be closely combined with the bottom of the operating system, the spread of CIH virus is more rapid and hidden.
Epilepsy
At present, there are five kinds of CIH viruses reported by authoritative virus collection network, including "primary type" and "mutant type"-* *. CIH virus "variant" not only does not increase infected files, but also is extremely destructive. There are three main variants of this virus (CIHV1.2: 4: April 26th, CIHV1.3: 6: June 26th.
1. Attack the BIOS. The most unusual thing about CIH virus is its attack on computer BIOS. When the computer is turned on, the BIOS first gains control of the system. It reads system setting parameters from CMOS, initializes and coordinates the data flow of related system devices. When CIH attacks, it will try to write junk information into the BIOS, and the contents in the BIOS will be completely washed away, which will cause the computer to fail to start. Just replace the motherboard or BIOS. According to the test, CIH can destroy dozens of common BIOS in the market. From this point of view, CIH virus is the first virus that directly attacks and destroys computer hardware system, and it will bring devastating consequences to many computer users.
2. Overwrite the hard disk. Writing junk content to the hard disk is also one of the destructiveness of CIH. During the CIH attack, BIOS SendComma nd is called to directly access the hard disk, and junk codes are written to the hard disk in units of 2048 sectors until all the data of the hard disk (including the logical disk) are destroyed.
One thing users should pay attention to. Don't think that CIH virus can't run on your own computer just because there is a write/write-protection jumper on your own computer motherboard. Even if the BIOS write/write-protection jumper on many motherboards is set to write-protection, the BIOS will still be rewritten because some BIOS chips can be written without voltage.
CIH virus repair method
1. Guanqun Company
For the hard disk damaged by CIH, you can do the following:
1) The first logical disk is usually the C: disk, which cannot be fully recovered. However, if you have made an emergency disk with Kill98, you can use the records of the main boot area and partition table saved in Kill9 8 emergency disk to recover the hard disk and retrieve most files.
2) Other logical disks, as long as they are not FAT32, can be recovered with disk tools such as NDD or Kill98 emergency disk, but users need to have enough knowledge of the physical structure of the hard disk.
3) The processing of the logical disk of fat 32 partition requires professionals who have a deep understanding of FAT32 structure to manually restore it with tools such as Debug.
For the motherboard damaged by CIH, you can do the following:
1) If it is a motherboard of a manufacturer's brand that can provide good service, please contact the manufacturer.
2) Find a motherboard of the same model (the manufacturer and version of B IOS must be exactly the same), download the upgrade file provided by the motherboard manufacturer, take out the bad BIOS, start your computer with a new BIOS chip, switch back to the bad BIOS chip when powering on, and write from disk A ... (This method is very dangerous because of live operation, and the whole hardware may be destroyed after operation. Please be careful! ! ! )
3) Some master upgrade programs will detect the BIOS version number when writing. If not, it cannot be rewritten. If you write BIOS in this way, you must replace the BIOS chip of the computer. You can contact your hardware buyer or motherboard agent.
2. Emerging companies
Start the machine with Rising antivirus disk first, then run DOS version of Rising antivirus software, and select this item in the menu. This program will automatically analyze whether the hard disk needs to be repaired.
1) If "the hard disk is ok, don't restore it! The message "Enter= return to main menu" indicates that your hard disk system is good and does not need to be repaired.
2) If a red prompt box appears to report the partition information of the user's hard disk and the type of file allocation table (FAT), the user must first confirm whether the prompt information is correct. Then, choose whether to restore according to the following prompt information.
"Restore partition table? (Yes/No) "
If "Y" is selected, Rising Antivirus Software will automatically restore the partition information of the hard disk.
If "n" is selected, Rising Antivirus Software will return to the main menu.
After the hard disk partition is restored, Rising antivirus software will prompt: "Restore drive C: (y/n)" and ask the user whether to continue to restore the files on drive C..
If you select "Y", Rising Antivirus Software will automatically restore the C disk file .. If you select "N", Rising Antivirus Software will return to the main menu.
After the hard disk partition is restored, you can restart the machine. At this time, you can see the fully restored extended logical partitions such as D and E; After restoring the hard disk partition, further restore the files on disk C and restart the machine, not only can you find the extended logical partition, but you can also see the restored file directory on disk C, which is called Rising. Xxx "(XXX is a number from 0 to 999). At this time, the extended partition has returned to normal, and the important files in each directory of drive C have been backed up.
3) If the message "Hard disk cannot be recovered, enter = return to main menu" appears, it means that your logical disk data cannot be recovered by using this function. When this function cannot recover your hard disk data, you can contact our company or other professional data recovery personnel for analysis, and use other methods to recover to ensure that important data is not lost.
3. Time Pioneer Company
Its "Xingtian 98" can make computers immune to CIH for life. The method is to directly mark the virus that should exist after the system is infected by CIH after scanning. When the CIH virus infects a computer, it will first detect this mark, mistakenly thinking that the computer has been infected by the CIH computer, so it will not be "reinfected", so that CIH will be deceived and the user's computer security will be guaranteed. The related principle of this method is as follows.
Since computer viruses are going to spread in a large area, it is inevitable that a computer file will be infected repeatedly. However, repeated infection of computer files may lead to system anomalies and affect the plan of virus transmission and destruction. So generally speaking, there will be a virus "infection mark" (also called "virus signature") in the virus program structure. When a virus infects a host program, it will write an "infection mark" into the host program as a mark that the program has been infected. Before the virus infects the health program, search for infection markers to see if there are infection markers. If there is, it is considered to be infected; If the infection mark is not found, the virus will infect the program. CIH virus uses VxD technology. When it infects the system, it will seize the control of the system. If it repeatedly grabs the control of the system, it will cause a crash, thus destroying the latent nature of the virus. Therefore, CIH virus will leave an "infection mark" after infecting the system, and the "infection mark" will be detected before each infection. If it is found, it will not be infected again.
"Xingtian 98" cloned the "infection mark" of CIH virus. As long as users use the anti-virus software "Xingtian 98" (the latest release is available, please upgrade the old users as soon as possible), they can permanently plant CIH vaccine for the computer system, so that the system will never be infected with CIH virus again (it is effective for all CIH varieties or the legendary CIH second generation). (Note: If the system is formatted, you should re-use "Xingtian 98" to immunize the system. )
4. Barber
McAfee VirusScan software released by American Network Alliance Company will effectively deal with CIH virus, and also provide online technical support, so that users can carry out real-time online upgrade service. On Nai's website (), there are many suggestions and schemes about the characteristics and radical treatment of CI H virus.
5. Beijing Jiang Min Company
On 26th of this month, CIH virus v 1.2 broke out. The specific performance includes: the hard disk can not be started normally, and all logical partitions are lost; The monitor that can display normally cannot display normally (the machine BIOS is rewritten by virus), and the floppy disk cannot start the computer normally.
(1) In the first case, you can use the F 10 function key of KV300 to rebuild your hard disk partition table. The specific operation steps are as follows:
1) Start the computer with a clean system floppy disk. After the main screen of KV300 appears, press the function key F 10, and KV300 will automatically detect your hard disk parameters and partition, and rebuild the abnormal hard disk partition table. Of course, you will be prompted to back up a damaged partition table before reconstruction;
2) For security reasons, the original partition table must be backed up. During the operation, press the prompt to type "Y" twice. (2) The computer BIOS chip must be replaced if the BIOS is rewritten by a virus, resulting in the computer being unable to display or the floppy disk being booted. You can contact hardware buyers or motherboard agents;
(3) In some special cases, if you can't repair your logic D, E, F (excluding disk C) by the above methods, please contact Jiang Min directly.
(4) The situation that the computer can be started is not within the scope of being destroyed by the CIH virus.
A typical case of CIH virus
1On April 26th, 999, XX Company used a floppy disk infected with CIH virus, which caused two computers to be damaged by the virus that day. Disk data could not be found, resulting in loss.
The specific damage is as follows:
These two computers are "586 models (compatible computers), which may be the early" 586 "motherboards, and the BIOS chip is not software rewritable. Therefore, the motherboards of these two computers have not been affected and can continue to be used.
The hard disks of both computers are quantum fireballs 2.1g. The two hard disks have the same phenomenon: the hard disk can't be started and can't be recognized, even if you start with a floppy disk, you can't find the C disk.
Technicians boot from DOS with disk A, read the main boot sector of a hard disk into memory for analysis with debugging program, and found that the partition table of the hard disk has been cleared by virus. Then read out the contents of some sectors where the file allocation table is located, and find that it is not the contents of the normal partition table and is covered by some junk data.
Try to repair this hard disk with "nroton" disk doctor:
In the first step, "Norton" found the starting position of the first partition in the 1 header 1 sector 1FF column of the hard disk. This is an unusual position. Generally, the starting position of the first partition is at the head of 1, and the sector of 1 is column 0. ) No second partition was found after Norton. (According to the user of this disk, this hard disk had two partitions before it was destroyed, each partition was 1GB). After finding the first partition, restart the computer and find that this hard disk can be recognized, and some files of drive C are still there. But the file name and directory structure have completely changed. Windows95 system files and data files on the original C disk can no longer be found. The original d partition bits can be restored. It seems impossible to make a full recovery.
Conclusion: The author of the virus has ulterior motives. Even if the BIOS of some motherboards cannot be destroyed, the hard disk data will be irretrievably destroyed. Only by choosing anti-virus software with real-time anti-virus function can we completely resist the attack of CIH malignant viruses on the system and have no worries.