CIH

Discussion in 'malware problems & news' started by kloshar, Feb 25, 2004.

Thread Status:
Not open for further replies.
  1. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    Hi!

    Sophos antivirus found few times CIH (Cernobil) virus on my Windows 2000 or XP system. Are there some files in Windows that are like CIH? Because no other av didn't detect that virus, just Sophos. And there is no removal instructions.

    Is this hard virus?
     
  2. FanJ

    FanJ Guest

    Hi,

    You said that no other AV did detect it.
    So I assume you have run either other AV's on your system to check those file(s) or some on-line AV-scanners.

    The site for Sophos about CIH is here:
    http://www.sophos.com/virusinfo/analyses/w95cih.html

    Steve Gibson has also written some pages about it:
    http://grc.com/cih.htm

    PS:
    Thanks to Paul: those links are at the free tools page of Wilders.org:
    http://www.wilders.org/free_tools.htm

    I guess the best thing you could do, now you are sure that no other AV gives an alert, is to contact Sophos:
    http://www.sophos.com/support/queries/

    I hope this helps.
     
  3. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    It is fun that I get this virus few times, and just on my 2000/XP system. I realy don't belive sophos.
     
  4. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    W95/CIH-10xx detected in c:\winnt\system32\active~1\imscan.dll

    I don't belive this is a virus. There is a file in Windows 2000/XP that sophos thinks it is a virus.
     
  5. FanJ

    FanJ Guest

    Then please submit it to Sophos, so they can have a closer look at it.
    In case it is a false alarm (that can happen to all scanners), they could try to fix it.
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    By the folder name, that looks like an online scanner DLL which has a signature IN IT for detecting CIH. And then along comes another scanner and sees that signature lo and behold..

    And Panda AV is well known for causing these alarms.. their signature files must not be encrypted. Still, submit IMScan.dll to me if you dont mind, submit@diamondcs.com.au and I will let you know :)
     
  7. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    Yes, Sophos said that it was Panda's file, so it isn't virus.
     
Thread Status:
Not open for further replies.