 |
|
|
|
|
|
|
|
 |
| Device
method for retrieving data from computer
hit by Chernobyl (CHI) |
Student of Sir Syed University,
First Batch, Electronics Department,
device method for retrieving data
from computer hit by Chernobyl (CHI).
April 30th, 1999.
This method to revive the hard disks
infected by the CIH (Chernobyl)
virus has been devised by the student
of our university Mr. Muhammed Rizwan
Ali, a graduate of first batch of
SSUET, Electronic department, and
Mechanical Engineer Mr. Muhammad
Kashifuddoja.
Methodology to revive the crashed
Hard Disks Infected with the (CHI)
Virus
|
(a)
Tools to be used: |
|
An operative PC. |
A
Hard Disk installed with Win
95/98 O.S. It should be cleaned
from any kind of infections.
|
Norton
Utilities preloaded. |
Any
updated Antivirus software
such as McAfee Ver:4.01 or
Norton |
Antivirus
5.0, preloaded. |
|
Fdisk.exe utility. Sys.com
utility (Optional). |
| (b)
Preventive measures to be taken
before the Revival: |
Change
the BIOS date to any date
prior to the date of attack
of virus. Don't put 26th &
27th of any month. |
Go
to BIOS "Advanced Settings"
& activate the "Virus Warning"
from Disabled to Enabled. |
Save
settings & SHUT OFF the system.
|
Note:
The above changes can be reverted
after the crashed Hard Disk
has been revived. |
(c)
The Revival: |
Set
the operating Hard Disk as
Primary Master. |
Set
the jumpers of the infected
Hard Disk as the Slave of
the Primary Master. |
Boot
the system & press "DEL" to
enter into the BIOS. Go to
"Auto Detection of Hard Disks".
This will recognize both Hard
Disks as Primary Master &
Primary Slave. Be sure to
detect the infected Hard Disk
as the Slave. |
Save
settings & reboot to Win95/98
O.S. installed in the Primary
Master. |
|
Run "Norton Disk Doctor (Ndd32.exe)"
from the Programs menu. |
The
NDD begins its operation by
analyzing the infected Hard
Disk. A message box is displayed
informing that Hard Disk 2
contains "Invalid Signatures"
on the Partition Table. Click
"YES" to continue.
Note:
The time to search for the
recoverable Partition(s) depends
upon the actual size of Hard
Disk & the number of Partition(s)
found on the crashed Hard
Disk. So please be patient.
|
After
thorough examining through
the cylinders & sectors of
the crashed Hard Disk, NDD
prompts you to revive the
first available partition
it has located. Click "YES"
to continue. |
|
After recovering the first
located partition, it again
asks to further search for
more possible partitions.
Click "YES" to continue.
Note:
The number of partitions
to be revived depends upon
the number of DOS (FAT16)
partitions residing on the
Hard Disk. Partitions such
as NTFS, HPFS, FAT32 are unrecoverable
by NDD. |
Likewise,
NDD prompts you to further
revive for more partitions
it locates. The prompting
would depend upon the number
of partitions it can revive. |
During
the above operations, it may
ask you to create an "Undo
File". Press the "Skip" tab
to continue. |
After
searching through the entire
Hard Disk, NDD informs that
the Partition information
has been changed & to restart
the system with the "NDD /
REBUILD" option. In some cases,
this option is displayed during
the initial stages. Press
"O.K." to continue. |
Reboot
the system. While "Starting
Windows 95/98" is displayed,
press "F8". choose "COMMAND
PROMPT ONLY" from the selection
menu. |
When
the "C:\>" is displayed, go
to path where NDD.EXE is located.
For e.g. C:\>PROGRA~1\NORTON~1
(press Enter). C:\>NDD.EXE
(press Enter). |
As
NDD begins its operation,
it once again repeats the
whole procedure in the DOS-mode.
Do accordingly as you did
in the previous steps in Windows-mode. |
Finally,
NDD displays a message box
to restart the system. Please
do the GUI booting with Windows
95/98. |
After
the Desktop is appeared, go
to "Explorer.exe" & confirm
the revived partitions designated
as drive letters "D, E, F,...".
You can search for your recovered
data now. |
The
partitions obtained are not
necessarily the Primary (active)
partitions. They may be the
Extended / Logical ones that
has revived as Primary. NDD
HAS INFACT SWITCHED & SHIFTED
THE STATUS OF THE PREVIOUS
EXTENDED/LOGICAL AS THE PRIMARY
DURING THE REVIVAL PROCEDURE.
THEREFORE IT LEAVES THE PREVIOUS
PRIMARY PARTITION UNRECOVERABLE
THUS MAKING AN EXTENDED /
LOGICAL THE PRIMARY ONE, AS
SEEN IN THE FOLLOWING FIGURES. |
HENCE THE ACTUAL DRIVE LETTERS
ARE CHANGED, FOR EXAMPLE: "D" IS
CHANGED TO "E" OR "C". YOU CAN RECOGNIZE
YOUR DRIVES BY THEIR VOLUME LABELS.
Now
run any updated Antivirus
software tool such as "McAfee
Virus Scan" from Programs
menu installed in the Primary
Master Hard Disk. Check &
clean the revived partitions
thoroughly for possible existing
viruses. Be sure to select
"All Files" & "Compressed
Files" settings.' |
a)
See if any O.S. (Command.com)
is available in the revived
drives.
b) If not, use "SYS.COM" to
transfer system files in any
of the revived Primary partitions.
Use "FDISK.EXE" utility to
confirm the Primary one. |
Now
again with the use of "FDISK.EXE"
utility, make the Primary
partition of the revived Hard
Disk as "ACTIVE". |
Switch-Off
the system & dismantle the
Primary Master Hard Disk.
Arrange the jumpers of the
revived Hard Disk now as Primary
Master. |
|
Switch-On
the system, & press "DEL"
to enter into the BIOS settings
& do the following : Change
the date to the current date
settings. |
Disabled
the "Virus Warning" function.
|
Auto
detect the revived Hard disk
as Primary Master. |
|
Save settings
& exit to reboot. |
The
revived Hard Disk will now
boot to normal with all its
recovered partitions. |
Other points to be considered:
If one is unable to arrange for
a Primary Master Hard Disk, than
he may work with a Floppy drive
with his infected Hard Disk set
as the Primary Master (Alone). The
Floppy must be bootable with the
"Command.com". The other utilities
such as Fdisk.exe, Sys.com, Ndd.exe
must also be copied in order to
work with. The partitions will however
be revived but he might no be able
to use the Antivirus tool to check
the recovered partitions. An Antivirus
tool must somehow be arranged to
DISINFECT the existing viruses after
recovery of the Hard Disk.
There may be the case that one is
not able to recover with the help
of Primary Master Hard Disk method.
He can however use the above Floppy
procedure to revive the infected
Hard Disk. Be also sure to arrange
for the Antivirus check-up.
After the revival through any method,
the contained NTFS / HPFS / FAT32
partitions would be displayed as
a free space, which can now be recreated
as required.
The above methodology is only for
"UNFORMATTED" Hard Disks. If the
infected Hard Disk has been reformatted
& a new O.S. is installed, then
there is no chance of recovery of
the previous partitions. However,
there slightly might be a chance
if the Hard Disk has not been overwritten.
In the above case, the "Unformat"
command can be used to revert the
change. But this command must be
run through the same disk from which
the "Format" command ran. For instance:
if the "Format" was used from a
Floppy drive, be sure to use the
same drive to run "Unformat" command.
Do not change to other media i.e.
CD, other floppy etc. (The floppy
must contain both commands).
After the Revival, backup your data
to some other sources & recreate
your Partitions. Install your O.S.
& other Applications to bring your
Hard Disk back to 100% working conditions.
Restore the backed-up data. Also
keep your Antivirus tool UPDATED.
For those who's "Flash ROM BIOS"
are erased as an impact by CIH Virus,
they can REPROGRAM their respective
BIOS. . If the Reprogramming is
unavailable, than switch to the
BIOS-Vendors to purchase a new one
for existing motherboards.
For Further Clarification feel free
to contact
Mr. Mohammed Rizwan Ali
Phone No: 92-21-4968236.
Email 1: epsilon@cyber.net.pk
Email 2: aloha@cyber.net.pk
Email 3: alphromeo@hotmail.com
Address: A-2 Rabia
Duplex, Scheme # 33,
Main University Road,
Karachi -- 32, Post Code No 75270,
Pakistan.
|
|
|
|
|
|
 |
|
Copyright ©
1997-2006, SSUET, All Right Reserved.
Site Designed & Managed by STI
|
|
|
|
 |
