Virus Advice... a little dated, now, but the genie is out of the bottle...
THIS TIME IT IS DIFFERENT! (Most of this page was written in early 1999. The vulnerablilty remains! While virus-checkers today would spot a Chernobyl, if is always possible that someone will write a new virus to exploit the old weakness.)
We've all learned (more or less) to live with viruses.
I am an experienced user of PCs. If I'm over-reacting, I'm sorry... but at least consider yourself warned before you add as much salt as you think is appropriate.
A new (1999) type of virus has been invented which can, in not-rare cases, mean that you must replace your motherboard before the rest of your computer will work at all again. (And when the system is up again... (booted from that emergency floppy you have. You do have one, don't you? Up to date? You do know where it is?).... your hard disc will probably have lost the root directory, and perhaps all of its data. YOU can rebuild a root directory and salvage your data, can't you? If so, please tell me how? (Serious request, if the tools cost less than $40.)) Send me an email if you want me to 'get technical' about how a virus could trash a motherboard... I can... but time is short, and there are more important things to get posted here. (Apologies for any typos... I promise you this is worth at least what you are paying me! If it turns out to be worth more, please publicise it and visit my freeware, shareware page. (Link at bottom))
A major antivirus authority is saying that the virus is quite widely spread. Supposedly a reputable magazine managed to distribute it on a cover disc. Easily done.
So... what do you need to do? If your machine is on.. leave it on. The virus strikes during boot ups. If you are good about keeping your anti-virus software's dictionary of viruses up-to-date, you may be okay... I've seen an anti-virus package 'catch' an attempted infection. DON'T download a fresh dictionary yet, though... read on.
(An aside: You may want to try to capture a specimen of the virus, to test your supposedly protected machine after you've done all of the below. Format a floppy in the usual way, on the suspect machine. Copy the following from C:\windows\system\: DDHELP.exe, SYSTRAY.exe, spool32.exe. I can't promise they'll be infected, if you even have the virus, but they were on two machines I've cleaned. If you still have room on the floppy, and you have IE20.exe somewhere, take a copy of that, too. Write-protect the disc. MARK THE DISK 'INFECTED'!!!!! (End of aside)).
At the Symantec site (links below), the Symantec people have kindly put up two free tools. The first is Kill_CIH. Download it. Run it from Windows. It will 'turn off' the virus, for now, if it is active in your machine. Read what Symantec tells you.
Also download NAV10C.EXE. (From the second site with link below.) Follow the Symantec instructions. In a nutshell: Put it in a folder of its own (Using C:\NAVC has advantages), run it (double clicking on the file name in Explorer is one easy way.) This will self extract a bunch of files. (NAVC10.exe was just a quick way to send you the whole package)
At this point, I had trouble following the instructions as posted by Symantec. Those instructions are best for people with Norton AntiVirus... but- fear not- Symantec have been generous. The following may not be perfect... but it does some clean up of your system...
First, still in Windows, use 'RUN' from the start menu to execute..
C:\navc\navc C: /doallfiles /repair
(No... I didn't man to put a \ after the second C:, and yes, there are 3 spaces in that line.)
This will take some time! Don't worry that not all infected files get repaired... but do notice!!! (There's a summary of files infected/ reparied at the end. You can go take a Valium while the program runs. It took about 20 minutes on my system.
Now use the start menu's Shut down|Restart the computer in Dos option to... (I think you know!)
From the DOS prompt, run
C:\navc\navc C: /doallfiles /repair
again. That should take care of the last few files. If it doesn't, please let me know? (And /or Symantec... but when I tried to email them via their website, I had to supply a lot of information, and then the system refused to handle my message!)
Now, I hope!, you can update your virus definitions in the usual way and be safe... until the next varient on this awful theme comes out.
Symantec site's where you can get Kill_CIH.EXE (Symantec sells Norton AntiVirus)
Symantec site's CIH information and fix-it freeware.
So... How do you protect your motherboard?
Have you heard of flashROM? Great idea... but a two edged sword. If your computer uses flashROM to hold its BIOS, as many do, then the virus may be able to trash the BIOS. The chip isn't damaged, but the program it once held is gone. No BIOS, no system boot... even from an MS-DOS 2.0 floppy disc.
If you are lucky, you'll be able to get a new BIOS chip to replace the trashed one. If you are experienced, you may even be able to fit it yourself. If you have to ask.... get a professional to do it for you, but make hir (him or her) show you how to do it yourself the next time.
If you are not lucky, the BIOS will not be in a socket, it will be soldered into the motherboard. In this case: you're in a bad situation. Don't be cynical if a professional tells you a new motherboard is your best bet. (No: I don't make my living repairing pcs!)
Maybe your BIOS in non-reprogrammable ROM. This will be a Good Thing, as far as virus danger is concerned. (But it will also mean that updating your BIOS with beneficial changes is more difficult.) I believe there are even variants of flashROM which can have their programabilty 'turned off', so don't assume the worst immediately if you see a flashROM in your machine.
The best of all possible post-Chernobyl/CIH virus worlds? Some manufacturers have used flashROMs AND provided a link on the motherboard which allows you to enable/disable the re-programming mechanism. When YOU WANT to re-program, you can. The rest of the time (and be sure that this has been done!!!!), the link is used to prevent any re-programming of the flashROM. Contact your pc manufacturer and ask: Do I have a flashROM BIOS? Do I have a reversable way to disable re-programming? Only if enough of us demonstrate our interest in that feature will it become common in the next generation of pcs in the shops.
One last 'happy thought': Quis custodet custodes? (My Latin may be off, but the idea remains sound: All of this is mana from 'the experts'... but who is watching the experts to see that they are telling us the right things? Better become an expert yourself! I can't PROMISE that they Symantec programs REALLY turn off, clean up the virus. Maybe they do something almost opposite?? (I can vouch for the rest of this, though... and I've run the Symantec stuff in my own systems. Symantec are pretty well established... we'll just have to pray no one has hacked their site or intercepted our access to it. Now there are a few ideas to play with....)
Other places with related stuff....
Click here for report about the virus.
Computer Associates are now giving away their personal version of
'InnoculateIT' anti-virus program, with free updates & support:
Click here to visit InnoculateIT site
If you've been hit....
Hard drive seems trashed?
Your best bet is to rebuild, restore from backups.
If you have vital data on the drive, there is a chance that it is still there... you've 'only' got to rebuild your FAT. (If you don't know what a FAT is, you should go to a professional for help, if the data is worth the expense.)
BIOS seems trashed? (Machine won't boot, even from a system disc in the floppy drive.)
IF your BIOS is in a socket, IF you can get a correct replacement, you may be able to restore your system by replacing the BIOS chip.
IF it is not in a socket, there are rumours around the internet that you may still be able to recover. It is not a trivial business, and you need a separate working machine and a floppy drive (maybe not working) on the sick machine... and it may be cheaper, easier, and a good time just to get a new motherboard, but if you are determined.....
IF you can get an image of the RIGHT bios software, and the flashing software (BIOS supplier may provide the BIOS software and flashing software in a single package, like a self extracting file, THEN... try putting the software in the floppy and booting while holding down F12. You need a FULL image of the BIOS software, not an upgrade patch. You will write protect the floppy first, just in case won't you. And you will have an antivirus package in place, and up to date, next time, won't you? (Don't worry... I've lost whole hard-drives more than once. It happens. Blame Microsoft, not yourself.)
Link to site's main index
Source of freeware, shareware. Things for kids, parents, teachers. Also investors, programmers and hobbyist electronics!
Direct link to freeware, shareware ads page.
from author of this alert.
Here is how you can contact this page's editor.