Data Recovery

The virus of CIH is a kind of malignant calculator system virus, it has 5 editions totally currently.Can make use of the core technique of the system of Windows9x when virus of CIH go into action to obtain the control power of the calculator, the procedure document that passes to infect with the system carries on the dissemination.When the virus go into action, will ruin the hard drive data and destroy by fire the calculator chip, make the system moment blue to hold, the machine can't start, the hard drive data throws to lose.Calculator once won the virus of CIH, can be plea for help in the repair that the professional company carries on the chip, the hard drive data only.

On July 26 in 1998, the virus of CIH appears for the very first time, resulted in the big area dissemination in the United States;On August 26 in 1998, the CIH virus invades the our country, resulting in numerous calculators paralyze, several days are after, public security official's department is exclusively for guard against this virus to send out the urgent circular.Henceforth yearly April 26, viruses of CIH all want to go into action once.On April 26 in 1999, the CIH is big to break out in the world, world over 60,000,000 set computers was break by the different degree;On April 26 in 2000, the CIH once more breaks out, the world loses over USD 1,000,000,000;On April 26 in 2001, the virus of CIH goes into action once again, the only region of Peking has to encounter the breakage of CIH over 6,000 set computers;On April 26 in 2002, the virus of CIH breaks out again, there are again several thousand set computers in Peking encounter the breakage.

A, virus brief introduction of CIH

Type:Halt to stay a calculator virus

Characteristic: The calculator's virus belongs to the household of W32, the infection Windows 95/98 medium possibility document that regards the EXE as the suffix.It has the tremendous destructiveness, can rewrite the BIOS to make it useless( as long as the microprocessor of the calculator is the 430 TXs of Pentium Intel), afterward the fruit is a calculator that uses the door and can't start, uniquely solve the method is to substitute the original chip( chip) of system, the calculator's virus goes into action on April 26, it will still break the calculator hard drive in of so information.The calculator's virus will not affect the MS/ DOS,3. xes of Windows and the operate system of Windows NTs.

Spread the path: The CIH can make use of probably of path carry on the dissemination:Soft dish, CD- ROM, Internet, the FTP download, E-mail etc..Only be the performance to be document by the infection the calculator virus would go into action, otherwise the calculator virus will be placed in the latent talent appearance forever. Symptom: The calculator virus may conceal in anily taking EXE as file extension can carry out document, but, only carry out these documents, the calculator virus would go into action.Once the calculator virus was activate( carried out to take the poisonous document), the calculator virus is to carry on sabotage, some is it is thus clear that of, but a little bit another possibility was not notice.

The following is the influence that the calculator virus may produce:

1.It will halt to stay the memory, this means the Windows 95/98 systems adjust to use any( open, close, heavy assign name to, replication or circulate) document hours that takes EXE as the file extension and will infect with the calculator virus.

2.Overlaying and rewriting information of BIOS can't make it work.

3.All informations( the format turns the hard drive) for breaking hard drive ises encounter the calculator start that the calculator virus break like bottom hint:" The DISK BOOT FAILURE, the INSERT SYSTEM DISK AND PRESS ENTER".And, if the customer tries to visit the hard drive also from the soft dish leading, will appear as follows the information" the INVALID DRIVE SPECIFICATION". The calculator's virus at include in its code following the string" the CIH v1.2 TT IT".

The first mutation of the calculator's virus is called the CIH v1.3 or CIH.1010s, this mutation will go into action on June 26, it at include in its code following string:" The CIH v1.3 TT IT". The second mutation is called the CIH v1.4 or CIH.1019s, it will go into action on 26 in every month, having the tremendous destructiveness.It will delete all informations within Flash- BIOSs, so will make the calculator connect the system dishs to all can not find, because have already dided not carry out the procedure of that function in the BIOS.

But, even started the calculator, the hard drive also cans not find, because the hard drive information has already also throw to lose the CHI.1019 Way that breaks the hard drive information is rewrite among them of contents.This mutation at include in its code following string:" The CIH v1.4 TATUNG".

Infect with the way: The CIH put own code in hard drive be subjected to the infection document can use an area, so the length of these documents will not increase, coming to a the hidden purpose.In fact, the calculator virus infection with EXE for file extension of Windows can carry out the reason of the document is these documents inside have and can conceal the calculator virus code with an area in great quantities.The CIH affects 32 documents only, so be limited by the Windows only 95/98 systems. After CIH calculator virus enters the memory, it will intercept the Installable File System( IFS) for the purpose of infection all expand to be named the EXE and can carry out the document.

Remarks: The CIH is disheveled hair in Taiwan first now, Taipei official report of basis, the calculator virus is from 24- year old CHEN2 YING2 HAO2( the Chen Ing- Halu) establishment of, is a C, I, H respectively because of the first letter of alphabet of its name, so this cause that may be the calculator virus name.

Two, the CIH virus important event record

June 2 in 1998:Taiwan spreads the first CIH virus report;

June 6 in 1998:Discover the edition of CIH V1.2;

June 12 in 1998:Discover the edition of CIH V1.3;

June 26 in 1998:The edition of CIH V1.3 results in the breakage of the certain degree;

June 30 in 1998:Discover the edition of CIH V1.4;

July of 1998:Discover in the environment of INTERNET a distribute the infection according to the system of WIN98 solid example;

July 26 in 1998:The CIH virus beginning is in the American big area dissemination;

August of 1998:Order to discover DEMO is infect with in the Wing Commander game station;

August of 1998:Two PCs of Europe game magazine CD is disheveled hair to infect with the CIH now;

August 26 in 1998:1.4 edition explosions of CIH, the first time spreads in the world;

August 31 in 1998:Public security official's department sends out the urgent circular, The Xinhua news agency, the central pedestal news syndication full text sows the hair;

September of 1998:The Yamaha drive the software that plait write to is infect with for the CD- R of a certain type CIH;

October of 1998:An in the global issue of the DEMO version of the game SiN is disheveled hair to infect with the CIH now;

March of 1999:It prepare to pack in 1.2 editions machines of Aptiva of the disheveled hair now IBM of CIH;

April of 199926:1.2 edition first time big scope explosion worlds of CIH over 60,000,000 set computers were break by the different degree;

April of 200026:1.2 editions of CIH big scope for the second time explosion, world lose over USD 1,000,000,000;

April of 200126:CIH big scope for the third time explosion.Only Peking has to encounter the breakage of CIH over 6,000 set computers;

April 26 in 2002:The virus of CIH breaks out again, several thousand set computers encounter the breakage;

Three, guard against the virus of CIH

Say that the best way of guard against the virus of CIH is to compute the on board gearing to check to kill the virus software for the calculator customer, and check to kill the virus and settle in time upgrade.Don't wish to spend money to purchase to kill the poisonous software or don't wish to let kill the customer that the poisonous software takes up the limited hard drive resources, can also adopt on-line kill the way of the poison to protect own computer.

Author:The college of eNet takes off the plait