CIH (Chernobyl) Virus Strikes Close to Home On April 26, while returning to Tampa, I called home and was informed of a computer problem at someone’s office for whom I provide support. The message was that their computer wouldn’t boot. Sounded like a power supply problem at first thought. When I was able to contact the individual, I found out the problem was not electrical. The problem was that on attempting to boot the computer they received the message, "Place bootable media in an appreciate drive". Not a good message, and that immediately brought to mind the warning my wife had shown me in the Tribune a few days back concerning the Chernobyl virus that was scheduled to strike on—April 26.

And it did strike. When I got to the computer, the only drive you could use was the A drive. Trying to access the C drive produced a message like "inappropriate drive parameter". A check of the BIOS showed that there was a Quantum Bigfoot hard drive. So we had a BIOS and a hard drive, but the hard drive was inaccessible. I had brought a DOS bootable floppy with generic CD ROM drivers on it and could access the CD- ROM drive, but no C drive access. I also had FDISK on the floppy, and it indicated a 4.3 GB primary partition on Drive 1 called partition 1. If I recall correctly it indicated 4.3 GB of free disk space—another bad sign. It looked like the virus had done its dirty work and wiped out the File Allocation Table (FAT), the Master Boot Record (MBR), and who knows what else. But we were lucky to have a BIOS. In many of the cases I was subsequently to read about, computers hit by this virus also had their BIOS destroyed.

Luckily for us, only two months back our group had a presentation on data recovery by Ontrac. Additionally they had supplied us with a floppy with their Data Advisor program on it. I inserted the floppy into the A drive and powered up the computer. It booted from the floppy and the program set to work analyzing the hard drive. It said the drive was physically OK, but the Master boot record was invalid, remote data recovery was possible, and all we had to do was let it find the modem and it would communicate with Ontrac. Of course, I knew that there was a $100 minimum charge just to talk to Ontrac regarding this since that had been explained at our meeting. Additional charges would apply depending on how hard the recovery job turned out to be.

All this was moot, however, since the program could not find the computer’s modem. It wasn’t until later that I figured out why the modem couldn’t be found. It was a Win Modem (meant to run in Windows). This is another reason to pay a little more when you buy a new computer and upgrade to a regular modem from the non standard Win modem.

After discussing the options with the client, we decided to create new partitions and reformat the drive, losing all the data in the process. But this wasn’t as bad as it sounds, since we had a full system tape backup made January 15. Fortunately there were also paper copies of most of the documents that had been created since then. A full system backup would put the computer back to the exact state it was in on January 15.

To do this, I first had to run FDISK to create new partitions on the drive. Unfortunately I had no idea what version of Windows 95 had been installed before. I didn’t even know how many partitions there had originally been. So I created a primary DOS partition of 2.047 GB and an extended partition of the same size in which I created one logical drive. That left a few stray megabytes left over that I didn’t worry about. I then ran FORMAT to format the new C & D drives. I should note that there was a recovery CD for this machine but no associated floppy to boot from could be found. I, of course, had my bootable floppy with it’s generic CD drivers, so I could actually look at the files on the recovery CD, but I could find none that would start the recovery process. I suppose that must start on the floppy. If I could have used this recovery CD to put the computer back to its original state, then I would have had the hard drive partitioned as original. I would then have restored with my tape backup.

But you work with what you have. After getting the hard drive back into a usable state, I inserted the floppy that was to start the full system restore from the Colorado Backup tape. Everything went smoothly for the first few minutes. Then I got the message that the backup did not have a copy of the Windows Registry and it would be necessary for me to first install Windows before the restore could proceed. This was not the way the program was advertised. The whole idea behind a full system backup was to include the Registry. Discouraged I quit for the evening.

Next morning, I started the full system restore from an older backup tape., and this time everything was OK. Apparently the January 15 "full system back" was not done correctly, and the registry was not included.—a good reason to have more than one such backup. The process continued for about 4 hours and then stopped with 80% of the files restored and a message that the C drive was out of space.

Just what I had feared. The original partition was one 4 + GB drive. But this was just another problem to be overcome. Since the restore first restores the root directory and the Windows directory, I had Windows up and running on the computer. So I just uninstalled a bunch of programs on the C drive that should have been removed long ago anyway. Then I moved several folders containing a large number of graphics files to the D drive. Before I knew it I had 400 MB of free space on the C drive. Additionally the files that were being restored when the process stopped were in excess of several hundred megabytes, being mapping data, so I didn’t include that in the restore when I started back. After probably another hour I had everything restored except the mapping program. I simply reinstalled this program from CD to the D drive.

I was almost finished. The next thing to do was to do a restore of only data files from the more recent backup. After that, I only had to get the modem working, get the network card recognized, and set up RoadRunner again. Setting up the modem was when I realized that the computer had a Win modem. It took a few extra minutes to get the network card installed since it didn’t seem to like the information on the first of two installation floppies. I finally read the details on installing the card from its manual and found out that in Win 95 you only use floppy 2.

Setting up RoadRunner was a snap until I tried to log on. It logged on fine and started downloading files to the computer like crazy. Oh, how nice, I thought. It is updating its program files. Then I noticed that it said it was installing Internet Explorer 3.0. Merle Nicholson, whom I had consulted several times during all of this, had warned me about this and said that it was OK to abort the process, since that is what the RR technician had done at his house. And that is exactly what I did, since I didn’t want IE 3 to replace IE 4.

As you might guess, this is not the end of the story. Halting the download froze the computer, and it would not unfreeze. Upon rebooting, it came up in safe mode and refused to run in any other mode. A check of the bootlog text file indicated that it wasn’t loading many of the font files. What to do? Well, there was a good copy of the Windows installation files in the Windows\Options directory, so I simply reinstalled Windows.

After the installation, a reboot of the computer produced a message that there was a device driver in the Window System.ini file calling for the file Ntkern.vxd, which was either missing or damaged and that I should do something about this. I did. I looked at the system.ini file, and there was no mention of Ntkern.vxd. Anyway, a couple presses of the return key always got you past the message and Windows seemed to run OK. Since the installation of Win 95 included IE 3, I saw no harm in trying to log onto RR again. This time, however, it made no attempt to download IE 3 but instead asked me to supply a path to the browser I wished to use. After doing this, RR was up and running, and I was ready to call it a day. Tomorrow I would install IE 4.0, see if I couldn’t remove the cause of the annoying boot-up message, and tie up a few loose ends.

A check of the Usenet newsgroups on http://ww.dejanews.com said that if I wanted to remove the Ntkern.vxd message, I should uninstall USB support and reinstall it. So, next morning I did that first thing, but didn’t reinstall USB since the computer had no such ports. Next I installed IE 4, did a few other computer items for the individual unrelated to the virus attack and left for lunch. Before leaving, though, we set Colorado Backup to doing a full system backup of our newly restored hard drive, and the individual was off to the computer store to get a new copy of their antiviral program.

• First, you should have a current backup of everything important to you. We actually had a backup of the entire system—but it was several months old.
• You should also know the number and size of your logical hard drives, since the restore needs to be applied to the exact setup from which it came. Note the restore can not partition or format your drives for you. You have to first do that before restoring if the damage has been that severe.
• You should have antiviral software running on your computer.
• This antiviral software should be up to date. My client was running McAfee, but it was over two years old and incapable of catching this particular virus.
• You should not play around on the Internet, downloading executables as files or as attachments and then running them on a computer that is important to you. We are fairly certain that this virus came in from AOL via such an attachment to a message.

End of the story? I don’t know. This morning I received a call saying that, first, the computer was now spontaneously rebooting if you let it sit doing nothing for several hours and that it had done this before the installation of the new virus program. My only suggestion here was to disable all energy saving features and screen savers and see if the problem stopped.

The second problem was that the installation of the virus program on a laptop (might as well put a newer version of the antiviral software on that computer too) had killed its ability to connect to AOL. It could connect to NetCom but not AOL. If you uninstalled the program, then you could connect to AOL. A little research revealed that to make the newest version of McAfee work with AOL, you needed to download a patch (10 minutes via RR and over an hour on the laptop's regular modem). Sounds like a new program to me, not just a patch.

I do find it odd that a company would create a new antiviral program and have it incompatible with the major ISP. I know AOL does everything in a nonstandard way, but they are the largest Internet provider. Then, again, perhaps McAfee is onto something here. Not letting people connect to AOL will probably greatly reduce the incidence of such virus attacks. Look on it as a feature and not a flaw. Larry Anders has informed me that this problem was caused by AOL making changes after the release of the latest McAfee Virus Scan.

Just as the newsletter was going to press, I ran across the following news item:

Bangladeshi Student Says He Can Cure Chernobyl Virus
DHAKA — A Bangladeshi student said Sunday he had invented a software program that can quickly revive computers crippled by the "Chernobyl" virus.