Win95:CIH-ASP virus

[centrum]

Hello,

I have downloaded and installed  avast!Home Edition , registered it, download virusbase update. Then clicked desktop shortcut to avast!, and starts memory scanner.
It show, almost at once, that I infected with Win95:CIH-ASP virus, in c:\windows\notepad.exe.
I can no open notepad, since avast! block it. I've noticed no any oddities in PC behaviour before, include notepad.

What is actions I need to do and where is description of this virus? (if virus have name, it was investigated, however, description must be also)
What files it damaged, etc?

thanks.

[RejZoR]

It's most likely really infected. Location is right and it's most certanly not a false positive on something as common as notepad.

[polonus]

Hi centrum,

If it was Chernobyl variant = Virusinfo: CIH of PE_CIH virus

These seems to be a very nasty virus. It overwrites the flash BIOS of your computer, after which the supplier has to set it anew. Or it reformats your hard disk. Give in after a  DOS-prompt:

        CURE C:


an your C: disk is checked for this virus.

In your case the Win95: CIH-ASP is a "dropper", and can be removed by deleting this file: cih_13.exe

polonus

[centrum]

Hi polonus,

I've installed avast! only yesterday night, just haven't time enough to learn all scanning features.
Should I do full scanning? How get rid of this specific virus? To check C drive for virus, I need from DOS?
(boot in DOS mode?)

centrum

[DavidR]

You could also check the offending/suspect file to confirm the detection is good at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

[centrum]

Got the following scanning results(online scanner):

Antivirus   Version   Update   Result
AntiVir   6.35.1.0   08.04.2006   TR/FlashKiller.C
Authentium   4.93.8   08.04.2006    no virus found
Avast   4.7.844.0   08.04.2006   Win95:CIH-ASP
AVG   386   08.04.2006    no virus found
BitDefender   7.2   08.04.2006    no virus found
CAT-QuickHeal   8.00   08.04.2006    no virus found
ClamAV   devel-20060426   08.04.2006   W32.CIH.1003
DrWeb   4.33   08.04.2006    no virus found
eTrust-InoculateIT   23.72.86   08.03.2006    no virus found
eTrust-Vet   12.6.2324   08.04.2006   Win32/CIH!remnants
Ewido   4.0   08.04.2006    no virus found
Fortinet   2.77.0.0   08.04.2006   suspicious
F-Prot   3.16f   08.04.2006    no virus found
F-Prot4   4.2.1.29   08.04.2006    no virus found
Ikarus   0.2.65.0   08.04.2006   W95.Cih.1003
Kaspersky   4.0.2.24   08.04.2006    no virus found
McAfee   4822   08.04.2006    no virus found
Microsoft   1.1508   08.04.2006    no virus found
NOD32v2   1.1692   08.04.2006    no virus found
Norman   5.90.23   08.04.2006    no virus found
Panda   9.0.0.4   08.04.2006    no virus found
Sophos   4.08.0   08.04.2006   W95/CIH-10xx
Symantec   8.0   08.04.2006   W95.CIH.damaged
TheHacker   5.9.8.186   08.04.2006 no virus found
UNA         

Aditional Information:

File size: 34304 bytes
MD5: 90a0732a7ed62ea44e19e848b5c288b6
SHA1: 33f0fd5e5fc1fcc8a7cc603e55453750246e7490

8 antivirus show virus.  What is the way to remove virus?

[DavidR]

I'm not sure that you can repair it, moving it to the chest and trying to get a replacement notepad.exe may be the easiest option.