Win95:CIH-ASP virus

Avast Free Antivirus / Premium Security
1

Hello,

I have downloaded and installed avast!Home Edition , registered it, download virusbase update. Then clicked desktop shortcut to avast!, and starts memory scanner.
It show, almost at once, that I infected with Win95:CIH-ASP virus, in c:\windows\notepad.exe.
I can no open notepad, since avast! block it. I’ve noticed no any oddities in PC behaviour before, include notepad.

What is actions I need to do and where is description of this virus? (if virus have name, it was investigated, however, description must be also)
What files it damaged, etc?

thanks.

2

It’s most likely really infected. Location is right and it’s most certanly not a false positive on something as common as notepad.

3

Hi centrum,

If it was Chernobyl variant = Virusinfo: CIH of PE_CIH virus

These seems to be a very nasty virus. It overwrites the flash BIOS of your computer, after which the supplier has to set it anew. Or it reformats your hard disk. Give in after a DOS-prompt:

    CURE C:

an your C: disk is checked for this virus.

In your case the Win95: CIH-ASP is a “dropper”, and can be removed by deleting this file: cih_13.exe

polonus

4

Hi polonus,

I’ve installed avast! only yesterday night, just haven’t time enough to learn all scanning features.
Should I do full scanning? How get rid of this specific virus? To check C drive for virus, I need from DOS?
(boot in DOS mode?)

centrum

5

You could also check the offending/suspect file to confirm the detection is good at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

6

Got the following scanning results(online scanner):

Antivirus Version Update Result
AntiVir 6.35.1.0 08.04.2006 TR/FlashKiller.C
Authentium 4.93.8 08.04.2006 no virus found
Avast 4.7.844.0 08.04.2006 Win95:CIH-ASP
AVG 386 08.04.2006 no virus found
BitDefender 7.2 08.04.2006 no virus found
CAT-QuickHeal 8.00 08.04.2006 no virus found
ClamAV devel-20060426 08.04.2006 W32.CIH.1003
DrWeb 4.33 08.04.2006 no virus found
eTrust-InoculateIT 23.72.86 08.03.2006 no virus found
eTrust-Vet 12.6.2324 08.04.2006 Win32/CIH!remnants
Ewido 4.0 08.04.2006 no virus found
Fortinet 2.77.0.0 08.04.2006 suspicious
F-Prot 3.16f 08.04.2006 no virus found
F-Prot4 4.2.1.29 08.04.2006 no virus found
Ikarus 0.2.65.0 08.04.2006 W95.Cih.1003
Kaspersky 4.0.2.24 08.04.2006 no virus found
McAfee 4822 08.04.2006 no virus found
Microsoft 1.1508 08.04.2006 no virus found
NOD32v2 1.1692 08.04.2006 no virus found
Norman 5.90.23 08.04.2006 no virus found
Panda 9.0.0.4 08.04.2006 no virus found
Sophos 4.08.0 08.04.2006 W95/CIH-10xx
Symantec 8.0 08.04.2006 W95.CIH.damaged
TheHacker 5.9.8.186 08.04.2006 no virus found
UNA

Aditional Information:

File size: 34304 bytes
MD5: 90a0732a7ed62ea44e19e848b5c288b6
SHA1: 33f0fd5e5fc1fcc8a7cc603e55453750246e7490

8 antivirus show virus. What is the way to remove virus?

7

I’m not sure that you can repair it, moving it to the chest and trying to get a replacement notepad.exe may be the easiest option.