CIH.1003 - How to recover from the virus attack?

W e b D e z i g n L t d. - web design and promotion

WebDezign secrets revealed...

viruses

How to restore your web pages from an "after-CIH" hard disk?
(...even if it has been recently formatted! )

It is important for the Internet surfer to be aware of viruses. We dedicated this page to the subject because the media we work in and probably some of us even live in is one of the easiest ways for the viruses to spread. Casual contacts are always dangerous even if only virtual!

CIH.1003 - the monstrous disaster of
1999. Is there a hope for survival for
the PC world?
There are tones of pages how to prevent
your PC from virus attacks and keep your
programs safe. But little or nothing at all
about what to do and how to recover if the
virus has already been activated. Especially
if its consequences are disastrous as the
CIH's. CIH, CIH.1003, Chernobil - they all
are the names of one of the most cruel PC
viruses "under" Win95/98 appeared so far.
It is known to be the first virus that attacks
the BIOS when the latter is stored in flash

Even if this page comes
into your browser too late
after the latest CIH attack
( 26 April 1999 ), you can
use the program for future
needs ( God forbid! ). It is
called aftercih.exe and
will help you to extract
your web pages from an
"after-CIH" hard disk or
any other deaf-and-dump
hard disk affected by FAT
tables corruption.

EPROM (realization mostly on the new mainboards). This is the lesser
evil since the BIOS can be re-programmed and completely restored.
The worst is when the virus attacks the hard disk which happens with
the older MB's. It damages the partition table and the FAT tables which
are the keys to a proper reading of the information on the hard disk.

Fot the unfamiliar user to whom these abbreviations speak nothing we'll simply say that the mentioned above results in the total "absence" of the hard disk, the directory srtucture and the files as well. If this happens the hard disk must be formatted in order to be prepared to store readable files again.
THE HOT SOLUTION
Unfortunately this kind of damage is extremely heavy and very little could be done for the information to be saved. If it wasn't so important for us to preserve our web pages we wouldn't start seeking any solution at all. Our colleague and friend Ognian Chernokojev (Jogy) helped us to find a solution for restoring some of the files.
The program aftercih.exe will extract your HTML files from an "after CIH" hard disk. Probably there are many other similar viruses, and it doesn't really matter what their names are if the result is one and the same - hard disk "disappearing". The program will work in those cases as well. Even if you have already formatted your hard disk but still haven't installed all your applications and favourite games, the program will extract the previous HTML files!

The program will help web designers who produce HTML files or Internet surfers who store important information in web pages to restore them. You can download the aftercih.exe for free. The source code of the program is available too and you can inhance it to make it capable to extract other types of files from deaf-and-dumb hard disks if possible.

Download aftercih.exe here. Send your comments or recommendations to its author Jogy. We'll publish any new solutions of similar problems on this page.

The source code aftercih.cpp: #include <iostream.h> #include <fstream.h> #include <dos.h> #include <dir.h> #include <string.h> #include <stdio.h> void ReadSectors(int head, int cylinder, int sector, char *buf) { int val = (cylinder << 6) + sector + 1; unsigned int seg = FP_SEG(buf); unsigned int ofs = FP_OFF(buf); union REGS regs; struct SREGS sregs; regs.h.ah = 2; regs.h.dl = 0x81; regs.h.dh = head; regs.x.cx = val; regs.h.al = 1; regs.x.bx = ofs; sregs.es = seg; int86x(0x13, ®s, ®s, &sregs); } main() { int heads; int cylinders; int sectors; int fileno; int start_head; int start_cylinder; char fname[MAXPATH]; char path[MAXPATH]; cout << endl << "Cylinders: "; cin >> cylinders; cout << endl << "Heads: "; cin >> heads; cout << endl << "Sectors: "; cin >> sectors; cout << endl << "Start cylinder: "; cin >> start_cylinder; cout << endl << "Start head: "; cin >> start_head; cout << endl << "Path for saving files: "; cin >> path; if (path[strlen(path) - 1] != '\\') strcat(path, "\\"); cout << endl << "Start file no: "; cin >> fileno; char buf[512]; ofstream ofs; bool inHTML = false; long count = 0; asm { mov ah,0 mov dl,0x81 int 0x13 }; for (int cylinder = start_cylinder; cylinder < cylinders; cylinder++) { for (int head = start_head; head < heads; head++) { cout << "Head: " << head << " \tCylinder: " << cylinder << endl; for (int sector = 0; sector < sectors; sector ++) { ReadSectors(head, cylinder, sector, buf); for (int index = 0; index < 512; index++) { if (!inHTML) { if (strnicmp(buf + index, "<HTML>", 6) == 0) { inHTML = true; sprintf(fname, "%s%d.htm", path, fileno++); cout << "File: " << fname << endl; ofs.open(fname); } } else { if (buf[index] == '\0' || count > 65536l || strnicmp(buf + index, "</HTML>", 7) == 0) { inHTML = false; ofs << "</HTML>" << endl; ofs.close(); count = 0; } } if (inHTML) { ofs.put(buf[index]); count++; } } } } start_head = 0; } return 0; }

Instructions to use aftercih.exe

1. You need a second hard disk which must be able to operate in DOS mode (WinNT DOS emulation will NOT work, DOS prompt under Win95/98 will not work properly either - you need to exit to DOS). This hard drive must be the primary master on your system and will appear as C:\>_.

2. Your "after cih" hard disk could be set to either primary slave or secondary. It MUST be recognized by the BIOS as an existing hard drive during the initial tests on start up, but you won't see it to apperar as D:\>_ afterwards. Read its physical characteristics - the number of its cylinders, heads and sectors. They are written on the body of the hard disk. You can also use the program diskedit.exe from Norton utilities to see them. These characteristics are very important since the program uses them to read the physical sectors on the hard disk.

3. Copy aftercih.exe in the main directory of the operating disk. Create a directory where the extracted files will be saved, for instance C:\SURVIVED (make it up to 8 characters). Exit to DOS or if you did the previous in DOS mode start aftercih.exe. The program will consequently prompt you to enter 7 fields - first the number of the cylinders, the heads and the sectors of the crashed hard disk (for a 2.1G these parameters may look like this - 1024, 64, 200). Then you have to enter the number of the cylinder and the head from which the program will start to read. If you run the program for the first time enter 0 in both two fields. Then enter the full path where the files will be saved (the one you've already created - C:\SURVIVED>). The last entry is the starting file number. If you run the program for the first time you can enter 0 here. The process of reading and extracting may take some hours. You can break the program by pressing CTRL-C at any time and then to continue again from the same place by specifying the new start cylinder, start head and start file numbers (entries 4, 5 and 7; the other entries should be the same).

How the program works:

The program uses a specific feature of the HTML documents. They all start with an opening tag <HTML> and finish with a closing tag </HTML>. Another helpful thing that eases the recovering process is that the web pages are simple ASCII coded text files. The program reads the whole content of the hard disk byte by byte and sector by sector and extracts everything that is between <HTML> and </HTML>.

One very interesting thing is that among the restored files you'll see many similar versions of one and the same file if the latter had been developed on the hard disk and saved many times for every latest change. This is because if you had enough space on the hard disk every newer version of the file was saved physically on different place and the older versions disappear just because they were "missed" by the FAT tables.

How to restore other types of files:

It is hard (but I think it's possible) to define markers for other types of files. Some definite information for a certain file type could be searched in the file header. And the specific interpretation for each file type must be known as well. If you want to restore text no matter how it was written and what its file extension was (.TXT, .DOC, .CPP, other source code) you can use the program diskedit. Use the search (find) function of the program and enter key words that are present in the text.

home

Copyright © -1997 by WebDesign Ltd. All rights reserved.
This document (text and images) may not be copied in part or full without express written
permission from the publisher. All violations will be prosecuted to the fullest extent of the law.