| Description:
|
Details
Trojan.FlashKiller
This trojan when run immediately erases data on the hard drive and destroys the Flash BIOS chip, if it is write-enabled. The trojan itself has Windows PE executable format and does work under Win95/98 only.
To erase disk data and Flash BIOS the trojan uses a routine that is absolutely the same that the "Win95.CIH", aka "Chernobyl" virus has - this is the same routine that is activated by "Win95.CIH" virus on April 26th. Moreover, it seems that trojan code was compiled from the "Win95.CIH" virus sources, where all infection routines were cut off, and only data destroying payload routines were left.
This trojan detection procedure that is implemented in AVP anti-virus has a side effect - it helps to locate Windows PE EXE files that are not completely cleaned after "Win95.CIH" virus infection.
The "Win95.CIH" infection method is quite complex, and the virus code is divided into several blocks in infected files (see "Win95.CIH" virus description for more details). AVP disinfects such files extremely correct: it restores not only PE file header and destroys virus entry routine, but also erases all parts of virus code in infected files.
Several anti-virus programs disinfect the "Win95.CIH" virus not so accurate as AVP does - they recover only PE file header and leave pieces of virus code and data in disinfected files, for example, you may see the "CIH TATUNG" or "CIH TTIT" string in bodies of disinfected files. The hard drive erasing and Flash BIOS destroying routines are also left in files' sections. This part of "Win95.CIH" virus code causes AVP to detect such files as infected by "FlashKiller" trojan in case AVP is run in "Redundant scan" mode. In this mode AVP scans whole file contents, locates this hard drive and Flash BIOS killing routine, and reports about trojan code found in the file.
To fix the problem you should contact local AVP distribution and support site and obtain the CIH-TRAC.AVC database that detects such badly disinfected files, and completes the disinfection: cleans all traces of the virus. This routine is not, and will be not included into main AVP databases because it may cause false alarms. |
