
TSCAN.TXT: Information about the W95/CIH viruses (3 known variants)

Copyright (c) 1998 by GEGA-Software Andreas Marx, Virus Help Munich
(For more information and my address see end of file)


*** Some notes about this virus ***

In June 1998 a new virus from Taiwan spread to Germany. It is dangerous,
because it is able to erase the Flash BIOS of a computer. This payload is
triggered on every 26th of a month. It also overwrites all data on all local
drives. For a more detailed German description refer to:
-> http://www.chip.de/News/cih.html <-.


*** Language selection ***

The file TSCAN.DAT determines the language of the user interface. In case
German messages appear on your screen, replace TSCAN.DAT with TSCAN.ENG
in order to get English output.


*** Scanning for the the virus... ***

This program is a special edition of the ActiveAntiVirus scanner
produced by the german company GEGA Software. It can find and remove
(option: /REMOVE) all known variants of the CIH virus.

WARNING: This program does not try to detect the CIH virus in memory.
For this reason it is essential that you only use it in a DOS environment
without Windows running. Otherwise the virus  may infect every file that
is scanned and reinfect every file after removal of the virus.


*** ... and cleaning it ***

The virus has a very unusual infection strategy: It splits into several
sections and injects its code into different parts of its host file.
TSCAN is able to remove only the first part of the virus. The other
parts will be left alone. The reason for this is the complexity of the
infection process that makes it impossible to locate all parts reliably.
The quest for perfect removal of the virus code would increase the danger
of damaging the program to be cleaned. Because the risk of unintentional
damage to the host program is too high, the program only cleans the first
part of the virus.
This approach will prevent the virus from working and in many cases will
create program files that function in the same way as the programs did
before the infection. However, even with this cautious approach it is not
possible to restore every infected file, because the virus irreversibly 
overwrites some data in the program header. Thus the /REMOVE option should
be used with great care.
Please note: Most other anti-virus programs tested so far by the author 
are not able to remove the virus at all or remove it less complete or
less destructive than this cleaner does. For example, some do not even
clean the first part of the virus but just leave it in the file!

After a CIH infection, the only way to get original files is to
- either reinstall Windows and all your infected applications or to
- restore all files from a backup.


*** Informations about this program ***

This program is DOS-based and requires not more than 200 kB of free
DOS memory. It can also scan network drives and CD-ROMs. However,
it does not support long filenames, but they will not be destroyed.
It cannot scan inside archive files like ZIP, ARJ etc. So you have
to extract the files first.

The program performs a self test on start-up and outputs a message
if it detects a modification.

When you start the program without command-line parameters it will
ask you for a drive to scan. The option '/?' or '/HELP' displays a
list of all parameters.

The program can be used in BATch files, it returns an errorlevel to
DOS: 0   --> All OK
     1   --> At least one virus was found
     255 --> There were errors, for example the TSCAN.DAT file was
             not found


*** Some notes about TSCAN ***

This program is free of charge and you may distribute it freely.
However, it is copyrighted software. It is forbidden to sell this
program.

THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE WHILE USING THIS
PROGRAM OR THE DOCUMENTATION! BE WARNED: USE IT CAREFULLY!

All used trademarks, registered trademarks and company names are
the property of their respective owners.


*** What's new in this version? ***


Version 1.42se (07/17/1998)

- This program can identify the virus variants more exact than before
- The command-line parameter /VLIST (virus list) works now
- First english release of this scanner/cleaner program


*** About the author ***


This program was developed by Andreas Marx, a member of Virus Help
Munich, a German based group of anti-virus enthusiasts.
tel.: +49(0)391-613303 * fax: +49(0)391-6218501
e-mail: amarx@boerde.de
snail-mail: Andreas Marx, Foerderstedter Str. 11, D-39112 Magdeburg,
            Germany

Translation and special thanks goes to: Dr. Karlhorst Klotz
Thanks goes to: Oliver Marx, Stefan Kurtzhals (VHM), Rainer Link (VHM),
                Raimund Genes (VHM) and Toralv Dirro (VHM)


*** My PGP-Key ***

Type Bits/ID       Date       User
Pub  1024/3410BB65 1995/08/21 Andreas Marx <amarx@boerde.de>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQCNAzA46O4AAAEEAOq2GWnkCfWJ0jiyB7rfmXfrUxdI8XrPsVazP4ZTVuqfSjES
svOaVORKifYudi7ThfpbwXwxSeVQJhUK+QcaCRCtefskew9qlOJKJc8LxN0BixMy
XnuEKIW+hIjBPcyUVT3bRn6PuLJogRdzJzBB7nT5knVXppELsE+5IGs0ELtlAAUT
tB5BbmRyZWFzIE1hcnggPGFtYXJ4QGJvZXJkZS5kZT6JAJUDBRA0GbCKT7kgazQQ
u2UBAWFMBADpGHLu1JEgrFVx7iSaxO3Ha3wDqeWL80QnHPDbSbnEtOSyDJWY7w6K
maJ4yGTkoZJT/lvZl5nA4K0J6TI8yQ8ET7oebZy8Q45nqsqANIr1AN78PlqJivAD
LLC9C5Y1S+nJN615bYWulGdiN0cH+fCQNvIEYN/YD3hOP4JFmHpwDA=3D=3D
=3D6+0g
-----END PGP PUBLIC KEY BLOCK-----


*** End of the file ***

