https

CIH VIRUS
FREE Data Recovery!

-
The Day After . . .

On April 26th, many PC Hard Drives
were damaged by the CIH Virus.

In The News
 CIH virus finds a few victims CIH impact was minimal; but don't say that to Boston College students who lost term papers.
 Chernobyl virus wreaks havoc in parts of Asia

The CIH virus attempts to ERASE the writable FLASH BIOS of infected PC's, and also overwrites the first 2,048 sectors (1,048,576 bytes) of all of the system's available non-removable writable disk drives! While this behavior places the CIH virus among the nastiest of all viruses, the damage is more recoverable than at first appears:

Flash BIOS Recovery:
We have been told by knowledgeable experts that most PC motherboards do not provide any means for recovering from the loss of their Flash BIOS EEROM. (Those that do are not vulnerable to CIH's erasure in the first place.) You should contact your PC motherboard manufacturer to determine whether your system can have its EEROM repaired. (Many thanks to Nick FitzGerald for sharing his accurate information.)

(Please note that Gibson Research Corporation has no special expertise in Flash BIOS recovery so we can not help you there. If your system's Flash BIOS was erased you must either move your hard drive to a system with a working motherboard or repair your BIOS before proceeding to consider the recovery of your system's hard drive.)

Hard Drive Recovery:
The CIH virus erases the first 2,048 sectors (1 megabyte) of each of the system's non-removable and writable disk drives. While this is certainly troublesome, the damage is very often 100% reversible and recoverable! (This is especially true if the drive contained multiple partitions, since only the first partition was truly damaged. See below.)

(Note that our standard SpinRite product was never designed to recover from deliberate and malicious damage done to drives by virus activity. SPINRITE DOES NOT RECOVER FROM THE DAMAGE DONE BY THE CIH VIRUS. Steve has researched the problem and now offers a completely FREE solution for everyone.)

How is it possible to recover the loss of the first 1 million bytes of a hard disk drive? The "front" of a DOS/Windows hard disk drive contains the following crucial information:

"Microsoft" DOS/Windows Drive Layout
 The Partition Table -- Also know as the "Master Boot Record" or MBR.
This single sector describes the major subdivisions (partitions) of the drive. In typical, simple, systems it specifies a single large partition that encompasses the entire drive.
 The First Partition's Boot Sector(s) -- Also known as the "Boot Sector".
One or six sectors which specify the layout of the balance of the partition, including the exact location of the following items:
 The File Allocation Table(s) -- Also known as the "FAT".
A permanent, contiguous, block of sectors used by the operating system to manage the sub-allocation of space within the partition. This information is so critical and non-recoverable that two complete, identical, FAT tables are maintained.
 The Root Directory -- Also known as the "Root".
A block (or chain) of sectors which contains the information used to manage the root directory files and sub-directories.

Recovering from the Loss of the First Megabyte:
Of all the data outlined above, only the FAT and Root directory contain vital information which cannot be "reverse engineered" from the existing system. Since the FDISK and FORMAT programs created the Partition Table and Boot Sectors respectively out of nothing, it stands to reason that they could be similarly re-created from nothing.

The restoration of the drive's Partition Table (which is the first thing Steve's new FREEWARE program does) will immediately restore the drive's partitions to existence. Although the CIH virus does extensive damage to the first partition, subsequent partitions are left completely intact!

Recovering the Drive's First Partition:
After the drive's partition table has been restored and any partitions beyond the first have been brought back into existence, we are still left with the extensive damage done to the first partition.

With the advent of 32-bit File Allocation Tables (FAT32) the FAT tables became quite large ... and this is the second part of the secret behind completely recovering from the loss of the first megabyte of the hard drive.

For example, a one gigabyte drive (or partition) formatted with a 32-bit FAT will consist of approximately 262,144 clusters of 4,096 (4k) bytes each. Since each FAT table entry requires 32-bits, or four bytes, a single copy of the FAT for a one gigabyte drive will require exactly one megabyte of sectors!

So, since just the first copy of a 32-bit FAT for a one gigabyte drive requires one megabyte of storage, and since the CIH virus only erases the first one megabyte of the drive, the large size of this first FAT table pushes the entire second copy of the FAT and the root directory fully out of harm's way!

This means that by first reconstructing the Partition Table and the Boot Sectors and then copying the second (preserved) copy of the FAT down into the space where the first copy belongs ... the first partition of the drive (if it's at least one gigabyte and FAT32 format) can be completely reconstructed and recovered!



What about drives with more than one partition?

As we said above, for drives with more than one partition of any format, the partitions beyond the first can always be completely recovered by the reconstruction of the drive's partition table. (Which is one of the things that Steve's new FREEWARE program does.)

So, even if your C: partition was FAT16 format (and thus not completely recoverable from a CIH attack) your D:, E:, and other partitions can be completely recovered automatically!



Did Someone Say 'FREE Data Recovery?' . . .

Yes!!  Steve has written a FREEWARE program
FIX-CIH
to completely recover from CIH attack!

Since this pesky CIH virus has just damaged hundreds of thousands of hard disk drives, Steve Gibson created a new FREEWARE program to recover from this problem . . . even AFTER the virus has wiped out a drive! This program quickly recovers FAT32 formatted drives from the damage done by the CIH virus. (Note: Unfortunately, it will not be able to help non-FAT32 formatted drives.)

So, if your system has just been zapped by the CIH Virus, if you have your flash bios working again (or if it wasn't zapped) but after booting DOS from the A: (diskette) drive your hard drive is gone, unrecognized, or missing ... the program Steve has written will repair your drive and recover ALL of your data!

The FIX-CIH Research and Development Diary page has information about the development of the program.

The FIX-CIH Download and Version History page contains a link to download the FIX-CIH program and information about its various versions.


FIX-CIH Research and
Development Diary
FIX-CIH Download and
Version History
FIX-CIH
Recovery Stories
CIH Virus Info Home PageSteve's Page

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 25, 2005 at 15:10 (3,255.60 days ago)Viewed 31 times per day