Virus.Win9x.CIH - removal process
HTML-код
- Опубликовано: 25 апр 2016
- / danooct1
another CIH anniversary video. I released my original video covering the CIH virus four years ago in 2012, which is currently my most viewed video. this video attempts to follow up on that one, showing how CIH can potentially be removed (if the system's BIOS hasn't been overwritten).
please forgive me for being terrible at video editing, it's not something I work a lot with (despite making videos for almost 8 years lol). lots of lazy cuts/transitions, but i think it gets the point across well enough. if i waited until i was happy with how this video was coming along it wouldn't have been released this year so this is as good as it's gonna get. 
Развлечения
3:38
*says you need to change the date far away from 26 april*
*changes date to 20 april*
lmao
Blaze it!
a veeerrry special day, lmao
Best date to avoid CIH: April 27
But my birthday is April 26
4-20
Very nice video. Your style of narration is also easy and pleasant to listen to. Good job!
+Bisqwit wait... you are the same guy who created a recreation of doom in C?
+Elmo64 Yup.
+Bisqwit didnt expect to see you in this vid lol
Bisqwit dannoct1 is bob ross confirmed?!
+Bisqwit Found you again in a comment haha :)
Very interesting. Back in 1999, when CIH infected our family computer, now I understand why our anti-virus kept finding so many infected files, and multiple scans didn't work. My dad had no choice but to boot into DOS and executed all the tools on command line to eradicate the infection.
Just want to confirm if it is possible instead to boot to DOS to run the tools instead of running it on Windows.
Thanks Danooct1, you have outdone yourself once again with an extremely informative and entertaining video.
+James Chan i loved how you let us know it was your dad that did it. it's like i'm back in the 90s and the family computer got infected and dad has to fix it
+Zero Ziat Actually, we don't know who did it. A couple of people were using it and were downloading stuff from people's emails and the Internet.
My dad was quite good with the computer, so he cleaned up the mess.
+James Chan the same happened in my house! hahaha
That family computer got lucky
No fucking way, I had this when I was younger, My BIOS wasn't deleted and the machine continued to boot into windows, but that green bar at the top would appear when I visited certain websites, tried to watch video, listen to music, files would stop working etc.. The computer would then hang until I pressed the reset button and start again. I tested the hardware thinking it might have been a graphics error but no such luck, It would still happen in safe mode etc, eventually got a hold of my 98 disc and reinstalled completely and the problem was fixed, so couldn't have been hardware..
Is it possible there where variations of this virus or does it just affect different systems in different ways?
EDIT: At 2:35 the screen has a green a bar at the top with distorted purple pixels, this is exactly the way my screen would go the second I ran pretty much anything.
Jamie McG you didnt even edited your fucking comment
@@xxxprogamerxxx5909 RUclips didn't record if a comment is edited until 1-2 years ago...
@@xxxprogamerxxx5909 Neither did you
As far as I know, the other CIH variants primarily affected payload dates, and not the payload itself. It's possible you were infected with a different virus, it may have been something like the virus CAW, because that virus would cause the distorted line lock up when you run programs.
However it is possible you had a variant that hasn't been documented and which didn't perform payloads correctly and/or altered them.
Interesting sidenote: HDDs formatted with newer utilities (those supporting Advanced Format) are mostly impervious to CIH. These new utilities put the 1st partition at sector 2048 instead of 63 to ensure alignment, so all that needs to be done after a CIH attack is a simple MBR rebuild (since the first 1MB is left clear, except for the MBR).
I love this high production value post commentary you've sort of done. Great work Dan! Hope to see more of this genre in the future.
verbose convertor?
Why did your videos suddenly become more professional? Your voice is clearer, you talk more fluently,calmly and in a warm tone, and the footage is more high-quality than usual...
Me likes it.
Allthough no one will be struck by CIH unintentionally these days it is still a great prove of concept, knowing how destructive it was back then.This reminds me of picking up an old video game from your childhood and finally beat the endboss which you never managed to when you were young. Even though none of your friends will take about the game anymore and value your success it is still an important achievement for your ego.If you can beat CIH Dan you will probably do so with many viruses to come. That is why I am subscribed to your channel :)
Now do the process of reflashing the BIOS with only the technology at the time. ;)
rip danoct1
unsolder the bios chip, put another one and force an update via ms-dos and hotswap the old chip. simple.
+OH MY GOD!!! So try to find a similar board with a similar chip. They don't necessarily have to be identical.
...so order a new BIOS chip from the manufacturer? They were almost all socketed at this point in time
So spend hundreds of dollars on an EEPROM writer and somehow find a clean copy of the BIOS to flash it with?
Great work! I love how you sound so happy throughout the video. That just makes it even more fun to watch :D
No dislikes, well deserved. You're awesome Dan I love watching these videos and it's shown me a lot about viruses. Keep it up
Agreed 100 %!
Oh shit 5! :(
Still good video :)
No dislikes, true!...
Hey! I only just found your channel a few days ago and you make some really interesting videos that are super fun to watch! I was just wondering what field you specialised in? or what course you studied in order to have such a good understanding of all this. Love the channel dude!!
these videos are so entertaining. having heard about many of them but now I can see them in action.
I just came across your videos yesterday. This is really interesting stuff! I've always wanted to see a virus in action, but not on my own computer, of course. I've always wondered about the viruses that cause physical damage to the computers, so I'll be looking for those.
It's also really interesting that these viruses still break out of the virtual operating systems to cause real damage. Old, obsolete viruses still able to infect new computers--really cool.
Did you change the date to 4/20 on purpose?
say this to Druaga1
+SkelettZockt Goddamn and I thought I was the only one that thought about Druaga when they saw that date.
Brorrowind yea smoke w33d everyday
Should have changed it to 6/9 :P
*_n i c e_*
When saw the title in my sub box got so excited :D
+BurnyCreative Lol I know right :D
These days, we have Windows 10 to download updates that don't work, and cause it to reboot 3 times before it gives up, uninstalls its own update, and takes you back to where you were originally. It's equally irritating.
Cool video! By the way, did you know that you were featured in a Quebec documentary about zero day flaws that was broadcasted a week ago?
+Chockeyproh Wii U 3DS really? do you have a link/more information?
+danooct1 Sure! One second please, just to upload a screenshot of it online.
+danooct1 drive.google.com/file/d/0B_DKmOADWDWiY2pjeWlIY3BXa0k/view?usp=docslist_api drive.google.com/file/d/0B_DKmOADWDWiSGg2a1Y4VmpDUjg/view?usp=docslist_api
These are two (awful quality) pictures I took. I can also give you the video (about 7 seconds) of where you are involved, but it is in french. It is a part explaining that first malware that took control of your OS were not dangerous and were having a diverting payload.
+OH MY GOD!!! i even saw the source and its right. that is step up. a HUGE STEP UP.
Dan ive been waiting for another cih vid for a while. Thank you!!!!
You finally made the vid. I have been waiting for 4 years now.
At first I was sceptic but the way you did this video and explained everything was brilliant. very nice content, hope to see more of this
Great video, Dan! I don't think I've ever been more enticed during one of your vids!
Great video Dan! Loved the editing/voiceover style.
Im waiting for this soooo many months,i knew its fixable!Great vid Dan
My computer was corrupted by cih, bios and hdd both. It was a real pain!
@@malwaretestingfan hm, smtng about 2000-ies. It was pentium 133 or something like that 😁 and windows98 to my mind.
@@malwaretestingfan it was popular in 00s
Fascinating tool. Since I don't want to run a DOS simulator on this program, I read the instructions from your video (thx for including all of them by the way) and this is just pure clever. I don't know how it would be possible to reconstruct the whole MRB with FAT16 systems, but if Steve Gibson says its possible, then its possible somehow. However, using the copy to reconstruct whole disk is just amazing. Just people in this bussines knows how a file system works and he delivered a solution to this problem.
Also it shows you how slow computer storage was back in the day. This isn't even really old but 7 minutes for a GB is massive considering this tool runs on machine code, standalone on the CPU.
OMG...My first computer in 2004 came with Windows ME and I only now I realize how lucky I was to have it until 2012!
you also need to empty the recycle bin just to be safe
Hey dancot I love your vids they are the best I was always into technology and how viruses work. thank you and keep making great videos
Excellent work! Glad to see such an awesome nerdy video!
Good ol' Steve Gibson. I instantly recognized the name lol. He's got some pretty good podcasts
I've suggested this before, but I'd like to see the effects of a virus and how to remove it in a single video. I don't mind having it split into two videos, but the fact that you sometimes don't do removals for some viruses (don't think you've said in the video that you can't remove it after it's infected the system) and I really wonder how some of those viruses can actually be removed.
+TheEngineer TCR (TheEngineerTCR) most viruses don't have specific removal tools and i just format the drive to get rid of them.
I use the command prompt
Despite the obvious fact that ClamAV doesn't have live scan (although I've already seen extensions that can help ClamAV perform live scans), do you think it's efficient enough? I currently use no antivirus on my Windows system, and I don't feel like any of them are any more effective nowadays than minding what you access.
Having been in network security for 4 years and understanding quite a lot about not just the skill but the psychology of hackers, I can already assure you many hackers hate you severely for exposing how a vast majority of these older hacks (and the newer ones too) were used, clearing up a lot of the panic/fear the used to exist around malware.
It's glorious to finally be able to be so publicly smug towards those jobless, lazy bastards who won't get a real job. Then again, keeps guys like me in business so I guess I should be thanking them
Honestly they couldn't care less. A child could fix this.
Danooct1, thank you for your great content. By the way, do you have access to the database virusshare?
damn, this is probably your most well made video yet.
Awesome video man, keep up the great work!
To repair the BIOS corruption you could hotswap the bios on a good motherboard and flash it again or get one external programmer to flash the bios again.
Seeing all these videos, it would appear best defense for a lot of those malwares was to simply disable/freeze your system time.
Awesome channel though. It brings me back some cool memories.
siwoti remove the CMOS Battery lol
Hey Dan!
Your videos have really inspired me to try to mess around with some programming and try to make some simple malware programs. So i am just wondering what programming language you would recommend for someone starting up writing malware?
***** I dont really know if Assembly is the correct choice nowadays. And isnt C really difficult/time consuming to learn?
"Rendering the computer unbootable. SOME OF YOU-"
that threw me into wednesday
I liked the way you edited this video.
why this video is so satisfying?
Makes me wonder what the most recent chipset/CPU that the bios overwrite payload will work on.
I wish we got to see more of these virus removal videos
Nice video man, love these. It's like a trip to the 90s. You ever gonna do some old linux malware videos or something?
I didn't even know Linux malware existed (0_0)
+PixelBucket The Herobrine Hunter there obviously are some exploits and such. frankly it'd be interesting to see, specially on older systems
Amazing Video As Always
I know most people wouldn't like to try this, but what would happen if you ran CIH on bootcamp on a Mac w/ dualboot. Will it still boot to OSX?
I'm surprised you're able to find all of this old virus cleanup software
CIH was particularly nasty and widespread, so it's not too terribly surprising.
That was a very interesting video! As far as I knew, the only way to repair a computer destroyed by CIH was to find another clean PC with the same chipset and hot-swap BIOS chips. I didn't knew there were "immune" chipsets, that are repairable.
Can you do a BIOS-swap video too? It would be a very interesting thing to watch!
Eduardo W. I'm guessing boot with working bios then hotswap to the non working one and use the same exploit to write the original bios onto it?
Well, it could also be externally reprogrammed. From what I read, even back then it was possible to buy a flash programmer and successfully reflash the BIOS. Not common knowledge, though, especially back then, and you needed another computer anyways.
Dan - I know you get a million messages, and I've asked before - but have you actualy done a hotswap BIOS?
+SireSquish I'd like to try one but I don't have a similar enough mobo. Maybe someday I'll pick one up and make a video on it.
danooct1 I'd love to get a pc I'm watching on Samsung galaxy tab e lite
This was beautiful.
I heard about CIH.
I wish to see the most destructive worm/trojan/ or virus ever known!
have you thought of trying this in Qemu? I think it would successful in Qemu, because its closer to acting like a real Pc.
So what if you're unlucky and have a BIOS that gets overwrote by CIH? Since all the boot drives are rendered unbootable, there's no way of using DOS as a saving grace, huh?
Midnight Mechanic you have to desolder the bios and hotswap with one from a working board then use the same exploit? to re-write the firmware to it
Okay, but is there a kill_covid-19 command that I can just write into the console of life?
Your video is awesome. Remind me of my childhood :D
that excitement is indeed justified dw
I do wanna know what happens to the machines that have been wrecked by CIH -- As in black-screened, no access to the BIOS? Most Virus wrecked machines do let you get to the BIOS screen before moving to the BSOD -- OS's failing to boot because the virus wrecked a system file.
Buy new main?
Outstanding video
Can you do a video on the whistler virus? I used to have it and it drove me crazy for a month. Took me forever to find out how to fix it.
Have you ever thought about playing Lose/Lose? That game is kind of like a virus in itself. I would love to see a video on it.
Tar Alacrin I've never seen a Mac video on this channel.
+TheMighty Pikachu Mac's dont really get viruses because of the way they are.
I apologize for the extremely late reply, but Tom.K did a great video on Lose/Lose that you should check out.
Your video editing isn't too bad. It's pretty good! :D
Victor Tran omg I know you from is first timer
if the creator of that virus had made the virus trigger on all of the dates on the calender then it would be even harder to remove this virus
Reactor 4.exe has exploded
What is the stripped down Norton Antivirus. Just curious
CIH needs to change date to 26 April 1986. This date of Explosion the Chernobyl NPP.
Question: I'm a computer geek, but want to know what it means when a virus "Writes its code to the end"?
+Dodge it all | One Hour Specialty when a virus infects a file it will patch in code at the beginning of a file telling it to jump to a location at the end of the program. the virus writes its code there so when the program is run, it will jump to the virus, run the virus, then jump back to the host program and run the original program the user was trying to run. so trying to run any infected file will always load the virus.
different viruses have different methods of infecting files, like CIH (nicknamed Spacefiller) will seek out empty pockets of space in a file when infecting it, rather than writing to the end of it, so that there's not an increase in the original file's size (which would alert the user that it had been altered in some way)
+danooct1 Alright! Thank you for clearing the air!
How did this (the virus) work? Wasn't this before NAND storage?
7 people has destroyed BIOS...
I built and ran this virus on my PII build. Only got one BSOD but it gave me a blank screen with a cursor and a solid hard drive light. Next reboot it never posted, but I made sure to backup the BIOS chip before hand and now I can at least get into BIOS. Next step is to restart the deleted hard drive segments and wipe it.
If you run it on a VM will you have to reinstall the VM software?
hey, at 1:59 why isnt the virus called CIH.exe like on the other vid, same OS right?
4:12 thank you for choosing the norton antivirus virus scanner to check your computer system for viruses
Thank you for dialing 911 for all your emergency services needs
@@danem2215 i never use 911, i use the 112!
Someone on github rewrote CIH to work on the NT kernel. It's still entirely in assembly language, and it's insane.
oh no
@@partitionhlep
It doesn't really work though because it is still hardware specific, it requires kernel exploits that have been patched since win2k, and it requires borland turbo assembler. I tried assembling it and running it on a 64 bit win7 vm and it did nothing.
If you wanted to create a CIH like virus in 2021, you need to start from scratch and use UEFI. Now that's scary, because UEFI is already completely broken.
@@mattr2238 my bios mode is legacy
@@partitionhlep
That may very well be the case, but the expliot used by CIH is specific to the original IBM PC BIOS, not what we call legacy bios on modern computers. On modern computers, a legacy BIOS is typically a UEFI BIOS that uses a Compatibility Support Module to emulate some of the functionality of the original PC BIOS.
Perhaps your computer came with the original Windows NT back in the 90s, in which case it does have a PC BIOS and is vulnerable to the destructive payload.
@@mattr2238 ok, i'm running windows 10 on a 2011 pc if you don't know
Good follow through.
Which anti virus software are you using? Just curious
Too bad there's no fix for the dead BIOS. It would have been nice if the bricked machine would have had a removable eprom chip. That way you could get an eprom burner and flash the old BIOS ROM back to the chip and resurrect the machine.
Tihamér Szabó ? If the virus could overwrite the BIOS, you can reflash the BIOS as well.
coreboot?
@danoct1 is CIH short for something??
Glad to see a living PC😎
Nice, so did you repair that old pc that was nuked in the original video? With a programmer the BIOS can easily be reflashed
if you can find a bios that old than its easy
+I am not even mad then*
+I am not even mad It's not like you can flash another BIOS that is compatible. It doesn't have to be the exact same one.
you have no idea how much I would love to help you find viruses and record with you.
How do you find specific viruses to test?
I have a SE440-BX-2. Can It be infected with CIH?
GRC is awesome to have made that Fix-CIH freeware!
can you post CIH Removal files here?
PS: Do you think this would work on an emulator that emulates physical BIOS? (something like PCem ( citadel.ringoflightning.net/pcem101_experimental.7z )?
Nice, great video. Can you do more email worm showcases or something like that.
I guess this virus trashed my father's computer years ago.
yay! new video!
How did you get it to boot again?
Wow, original video was made in 2012 ? I feel so old :D
Back at it again with the virus tests! xD
Best.......video......EVER!!!
Is Danooct1 gonna be the new Rogueamp1/2 now??
You should do a video on NRLG Nukes Randomic Life Generator. It (was) awesome - it's on VCHeavens
What computer do you use
i like how his real wallpaper is like a modern version of bubbles lmao
Porque el título del vídeo está en español si hablas ingles ? Saludos
maybe is first video about removal of this virus?
Is it hard to put a simple "BIOS Write Enable" switch on the computer? I think it's stupid, that the BIOS isn't read only
Felix K on modern systems they decided to make EFI writable so it can be updated by the operating system (lol)