1. /
  2. Security Response/
  3. W95.CIH Removal Tool

W95.CIH Removal Tool

Discovered:
January 5, 1999
Updated:
August 24, 2005 12:00:00 AM
Type:
Removal Information
Introduction

As of August 3, 1998, the KILL_CIH tool was designed to safely detect and remove all known strains of the W95.CIH (Chernobyl) virus from memory under the Windows 95 and Windows 98 systems; the W95.CIH virus cannot infect the Windows NT/2000 systems. If the tool is run before the virus infects the system, the tool will also inoculate the computer's memory to prevent the W95.CIH virus from infecting the system until the next system reboot.

Note: If your computer is already infected with the W95.CIH virus, first run the KILL_CIH tool before attempting to update the virus definitions or to scan your system. If you attempt to scan the system with any antivirus product without first running this tool, the infection could spread. After using this tool, you can safely update your Norton AntiVirus (NAV) definitions and scan the computer.

The KILL_CIH tool does not detect or remove the W95.CIH virus from the files. It only disables the virus in memory so that an antivirus program can remove the infection without inadvertently spreading the virus.

You can run the CIH removal tool from either the DOS command line or from a login script. Running the tool from a login script allows an administrator to automate the disinfection process. This means that an administrator does not need to go to each workstation on the network and reboot from a clean floppy disk to clean the computer. After using this tool, you should update your virus definitions, then completely scan the computer using NAV. This product will eliminate the virus and repair any damaged files. The tool itself is designed to avoid infection by the virus and can be safely run without becoming infected, if the virus already resides on a computer.

Obtaining and running the tool
Note: The W95.CIH virus cannot infect computers running on Windows NT, 2000, or XP.
Download the KILL_CIH.EXE file to the Windows desktop.
Close all the programs before running the tool.
Run KILL_CIH.EXE while in a DOS window within Windows as follows:
Click Start, and then click Run.
Type command, and then click OK.

(An MS-DOS window will open to the C:\WINDOWS\Desktop prompt.)

Type kill_cih.exe, and then press Enter.

The KILL_CIH.EXE program does not require command-line arguments. It will display one of several different messages upon completion:
"The W95.CIH virus was found in memory. The W95.CIH virus has been successfully disabled. You can now run Norton AntiVirus to remove any infections from files."

This message is displayed if any strain of the W95.CIH virus is found in the computer's memory. The tool has disabled the virus in memory and will prevent it from causing damage to the system or infecting any additional files. At this point, it is safe to run NAV to remove the virus from the system.

"The W95.CIH virus was not found in memory."

This message is displayed if known strains of the W95.CIH virus are not found in memory. The tool has inoculated the computer and will prevent the virus from infecting system memory, if an infected file is run during the remainder of the computer session (until reboot). At this point, it is safe to run NAV to remove the virus from the system.

"Warning: This Windows NT system cannot be infected by the W95.CIH virus."

This message will be displayed if the tool is used under Windows NT/2000/XP. There is no harm in doing this, and the program will normally exit after displaying this message.

After running the tool
Run LiveUpdate to make sure that you have the most recent virus definitions.
Start NAV and make sure that it is configured to scan all the files. For instructions, read the document, "How to configure Norton AntiVirus to scan all the files."
Run a full system scan.
Summary

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver