CIH is a virus yes. for a cure go to http://www.grc.com/cih.htm This message was edited by Hiroshimator, on 7/1/2001 10:38:21 PM
disease_2000, need to get that fixed ASAP! If you find out where you got it, I'm sure everyone here would like to know. Maybe, you got it from one of those reverse engineer sites you have been talking about? :eek: Good luck, hope you can innoculate everything. Finding it before it's done any long term damage is a real plus! Hiroshimator, oh that link is so FUNNY! Ha, ha, ha, everyone here is rolling on the floor!
d2k, email it to me and I'll see if any of my anti-virus things will clean it for you... I'm using Norton 2001 on win2k Thanks, _Shawn
i had exactly the same problem... 50% of my executable have this "CIH v1.2 TTIT" string but i exchanged ifsmngr and now there is no more cih :) don't know why but every av software (even f-prot) did not recognize a virus or the like...
Here some facts (copied from f-secure). The CIH virus was first located in Taiwan in early June 1998. After that, it has been confirmed to be in the wild worldwide. It has been among the ten most common viruses for several months. CIH has been spreading very quickly as it has been distributed through pirated software. It seems that at least four underground pirate software groups got infected with the CIH virus during summer 1998. They inadvertently spread the virus globally in new pirated softwares they released through their own channels. These releases include some new games which will spread world-wide very quickly. There's also a persistent rumor about a 'PWA-cracked copy' of Windows 98 which would be infected by the CIH virus but F-Secure has been unable to confirm this. Later on, CIH was available by accident from several commercial sources, such as: Origin Systems website where a download related to the popular Wing Commander game was infected At least three European PC gaming magazines shipped magazines where the cover CD-ROM was infected - one of them even included a note inside advicing users to disinfect their machines after using the CD-ROM Yamaha shipped an infected version of a firmware update software for their CD-R400 drives A widely spread demo version of the Activision game SiN was infected as well - this infection did not originate from the vendor IBM shipped a batch of new Aptiva PCs with the CIH virus pre-installed during March 1999, just a month before the virus activates destructively What makes the CIH case really serious is that the virus activates destructively. When it happens the virus overwrites most of the data on the computers hard drive. This can be recovered with recent backups. However, the virus has another, unique activation routine: It will try to overwrite the Flash BIOS chip of the machine. If this succeeds, the machine will be unable to boot at all unless the chip is reprogammed. The Flash routine will work on many types of Pentium machines - for example, on machines based on the Intel 430TX chipset. On most machines, the Flash BIOS can be protected with a jumper. By default, protection is usually off. The CIH virus infects Windows executable files (EXE files). It does not infect Word or Excel documents. CIH works under both Windows 95 and Windows 98, but it does not work under Windows NT.
be sure to send a thank you mail to Steve Gibson, it's his program AND he's an assembler programmer! :)
Hiro, that program that he created was cool (in 100% assembly). I run it in dos. but i didn't actually use it to format my hdd. he said that even if the program try to fix the bios, hdd sector the virus will still be there. what that mean is that it turn back the clock and slow down CIH abit. my step was: FORMAT HDD completely. and now, that virus is gone. ------------------------------------------------------------ that virus is cool. i like it. i hope there's a source code for it out there. This message was edited by disease_2000, on 7/2/2001 7:44:14 PM
disease, Just a word of wisdom from an old timer, the guy who wrote CIH ended up in jail and the virus trashed a lot of innocent peoples computers so i would be very careful about playing with this stuff, there has been some clever code in the virus area but it is "idiot savante" style coding, good at one thing only and in general coding terms, the majority of virus code is genuine crap. No decent architecture, no clever optimisation, very little in the area of original ideas, just mindless spiteful destruction that targetted little people who never hurt anybody. I know you are a pretty sensible dude and you are not the type of guy who would willingly damage someone elses computer so just be careful playing with this crap, it may distract you from doing useful and smart things with assembler. Regards, firstname.lastname@example.org
hutch, what you said is very truth. back then, that's who i was. i though that crashing other peoples computer was fun (oh, that was back when i was 13. it's a very different world i had lived in. but i never actually crash people system. i never send people virus, i was curious about its intelligent and how it works and because of that, it took me into the world of Reverse Engineer where i was blinded by the code they called "Assembly". I learnt how to reverse program through one knowledge - ascii, and with my own common sense. soon or later, i was taken into the darkside by my curiousity, a world with no common sense. a world, with no feeling and understanding of how important data is to oneself. and that world was - hacking.) all those time, i could have done something more useful, such as learning assembly. creating something interesting. but unfortunately, i'm a self-taugh, and my urge of learning assembly was very high back then. didn't have the ability to teach myself. i however craw on my knee by trying to Reverse as many program as i could on my own, just to understand assembly and the logic behind it. or in other words, i learn assembly through reverse engineer. ----------------------------------------------------------------- i've been in three world. those 3 worlds help me to realize how stupid human are. how one such knowledge can damange one area of thinking. and whenever i try to pass this knowledge on to someone else, they just don't seem to get it. i guess you only see the light when you actually light it yourself! (burn the candle yourself, or whatever that might be). anyone reading this, i hope you get my msg. hutch, the reason i want that CIH source is because i want to study how it works - cause it actually trick debugger. if i know how CIH trick my debugger (one that i use), then i can try to come up with another way. i already took down w32dasm. :). i never hurt anyone. with my current knowledge, i belive i can, but empathy stopped me from doing it. so, that mean you will never see me runing around with a virus on this forum. not even if you give me 2000 million (ohh, that's alot. ya right). ----------------------------------------------------------------- "playing with this crap, it may distract you from doing useful and smart things with assembler" ----------------------------------------------------------------- i think we all should paint that on our wall oneday.
tricking the debugger is very simple there are a couple of techniques out there like structured exeption handling/deleting debug registers/self modifying code/debug apis/... if was you i would not play with compiled virii - many of them use destructive anti debug techniques and when a clueless guy trys to debug them your harddrive or whatever will be deleted so be very very carefull.
Hutch, The CIH was uploaded to warez sites, so I would not say that people who were affected by the CIH virus were completely innocent. Actually if viruses can prevent people from using pirated software, it's not a bad thing. It's like sex, if you don't want to be infected, don't cheat your wife.
The thing with virii is that they spread, and they do so in an aggresive way. I often help people (not so computer litterate friends etc.), and my brother often downloads stuff from the internet. These two facts combined mean that I can unwittingly spread a harmful, and down-right evil program to an innocent person (some of whom have no idea of how to use there computers (I've seen recycle bins with over 200Mb of deleted items in, that on a 2Gb drive)). Even if you have a virus that simply targets the downloaders of "Warez", such vigilatism is just as illegal as the crime it purports to fight. Anyone who uses that excuse to write virii, is only fooling themselves or other particularly stupid people. I personally belive that those who are capable of coding virii are themselves quite talented (if perverted) individuals. Those who release virii to cause harm are sick, and twisted, and really deserve everything they get. The worst are those that call themselves L33t0 ha>
I would suggest you to pick up a copy of AVP antivirus (www.avp.ch, NOT www.avp.com) - it's probably one of the best products on the market right now. Just for fun, I was going to install back orifice on one of friends PC (he's the type of guy that can handle it - we pull these kinds of jokes on eachother, but not on other people). So I ran the BO server through a couple packers and encrypters, and even hand-edited it a bit. And the AVP monitor was still able to detect it. Pretty nice app, and definitely worth your mony. As for coding virii...it's definitely a way to learn a lot about lowlevel stuff and what makes windows tick. However, spreading virii is so.damn.lame. Whether in binary form or at some VX site. IMHO, you should keep these beasts to yourself (as I have always done). It's not fun to harm other people. And as for payloads... what's the FUN of trashing a hd of flashing eeprom? It's not very hard to do... graphical payloads, small tunes, etc...that's another story :). But even if you make a nondestructive virus, don't spread it. What if you made a bug? ...
f0dder, "i hope there's a source for it out there" is just an expression of my interest. :) i don't post any exe on this forum. say, is it good to format your hdd every now and then ? will there be harm to your hdd if you do it frequently?
With the size of programs these days, it's getting easier and easier to hide more and more in the sea of code that makes up the typical software installation - that's scarry to me. With everyone connected to the web and shopping online; someone could create a virus that collects private information! I won't outline the method I'd use to create such a virus here. Knowing what is possible is scarry enough for me - all it would take is an investment of time. I have never used anti-virus software in twenty years, but I have lost data twice because of a virus. Many times I have found viruses on computers that I've worked on - never with anti-virus software. :) Maybe I'm just lucky. :D I think there will always be children who rebel in this way - writing defiant/destructive code - some children are older than others. ;) Knowledge is power, and power is abused without respect - guns, drugs, explosives, virii... People get hurt - it is very sad. :(
Formatting your harddrive every now and then is a good thing, as far as I know. Just don't overdo it. For general "everyday" ;) formats (ie, windows reinstall), I'd do a quickformat. But once a year or so, I don't think it would hurt to do a full format. It's good to be a bit paranoid wrt software, especially when not downloading it from large places on the net. (Note that warez from "big sites" usually aren't infected - the 1337 d3wdz have too much pride to want this on their names). I run avp antivirus (the best at the moment, imho). I don't use the monitor, though, as monitors lull you into a fake sense of being secure. I do manual scans on every new software I download. And I very often open install executables in a hexeditor, just to see if there's anything suspicious. And sometimes I even do "manual install", to avoid spyware and the like (did that with flashget/jetcar, a nice resume downloader). The three times I've had a virus infection were before good heuristic scanning engines were about, and my AV software wasn't new enough to detect the stuff. However, at that time, I had a pretty good idea of what *every* file (except some in windows\system) were, all 12.000 of them :D. "Stuff felt wrong". Manually running each exe/com file (clean boot), then running a (clean) file from a write-protected floppy. The virus didn't have a critical error handler, so when it tried to infect the file on floppy, it failed. And thus I tracked down every bit of virus (except qbasic.exe which I hadn't been running - directly. But edit.com used to depend on qbasic, so I had a few more outbreaks and manual hunts before realizing the qbasic problem). I found the CIH virus on my computer the day before it would have wiped my motherboard. Didn't know what it was, but I surely didn't like seeing a "CIH" signature in various exe and DLL files, especially not files I had just been linking myself. I found out about the cmos flashing the next day, because one of my friends had a very grim look when I met him. So even though I have been lucky, and have had a very good feel with my system (which is probably why I never had data loss due to virii, and why I haven't been trojanized yet), I still recommend everybody to be a bit paranoid and install firewalls + AV software. And don't even think about anything from mcafee or norton. Norton AV couldn't even detect a lame sub7 trojan! AVP on the other hand has heuristics, unpacks many exepackers automatically, etc (no, I'm not in their sales division ;)). Also, if you are tired of windows reinstalls, I can heartily recommend norton ghost - all my apps and complete system configuration can be installed in seven minutes. Sure beats the (minimum) 3 hours to install everything, plus weeks of small tweaks. And the best of it all is that i can get my ~1.5gig primary partition down to <700 megs - so I can burn a bootable recovery CD.