Site Map Support     Knowledge Base     Single Installation     Network Installation     Network Administration     Bug Report Registration Downloads Information

Subscribe to mailing list

Send To a Friend

Content of this page:

• Preparing a RESQ work floppy
• Recovery from CIH / Chernobyl / Kriz
• Primer on hard disk recovery

Damage caused by ExploreZip / LoveBug / Suppl and their variants: When activated, either Trojan will scan all accessible drives, both local and network drives for MS Office files (Word and Excel). ExploreZip will also seek for PowerPoint, C, C++ and Assembler source files, while Suppl will look for text, database and archived files (TXT, DBF, ZIP, ARJ and RAR). When found, every file with the appropriate extension will be zeroed. The zeroing is done by opening the file with the CreateFile function and then closing it.  LoveBug replaces JPG image files with a copy of its own script.  The data that was contained in the damaged files may still exist on the drive but cannot be accessed nor 'undeleted' as all FAT reference to it was lost in the process. Unless it's recovered immediately after the incident, the data will be overwritten by new one and won't be recoverable anymore.

What data can be recovered after ExploreZip / LoveBug / Suppl ravage: Only files that were not fragmented at the time they were hit can be recovered by the procedure described below. Additional requirements for a successful recovery are: The partition is either FAT-16 or FAT-32, and no part of the data has been overwritten since zeroed or replaced.  Hence, it is strongly advised that usage of a drive that was hit by any of these Trojans is stopped as soon as the damage is discovered, to improve the rate of successful recovery.

Recommended hardware setup and software tools: The utility you'll need is RESQDATA, from the ResQ package, with ResQpro authorization.

ResQdata has a special mode that allows selective recovery of the files that were reduced to zero length by one of the above Trojans, as well as recover JPG files that were replaced by LoveBug.

All recovery work should be conducted from plain DOS. Working under an OS that supports FAT-32 is a must, if the lost data resides in a FAT-32 partition.

Before starting the actual recovery, please read the online help provided with ResQdata and practice, as suggested in the help text. To access the help, from the directory where the ResQ files reside, type from the command line: RESQDATA /? 

Good luck! 

Recovery of the Hard Drive after CIH / Chernobyl / Kriz Trashing

A step by step guide how to recover your hard drive after it was trashed by CIH, aka Chernobyl.
by Zvi Netiv, author of InVircible and the ResQ Utilities

Hotkeys: The ^ (caret) and @ (at) signs in the following text denote the Ctrl and Alt keys of the keyboard, respectively. For example, the combination @F4 mean "press the Alt and F4 function keys, simultaneously". 

You are advised to print this file with your online printer and save it as HTML, for later use.

Note that the CIH and Kriz viruses can only run under Windows 9x/Me, hence on FAT/FAT-32, uniquely. Systems running under NT, W2K or XP aren't affected by this virus.

Hardware setup and software tools

The drive to recover should be set as first drive.  No need to change anything if the recovery is conducted in the same machine in which the drive was ruined by the virus.  Work should be conducted from an external drive, like floppy, or super-drive, or from a second hard drive, if available.  During the recovery of a FAT-32 partition you'll need several megabytes of storage space for temporary files.  Instructions how to create a RAM drive in memory are given below.

The utilities you'll need are RESQDISK.EXE, with ResQpro authorization, and IVZ.EXE, both available from NetZ website.  ResQdisk is the hard disk recovery tool, from our RESQ package, and IVZ is the disinfector, and part of the InVircible for DOS package, for cleaning your program from CIH, after access to the drive and file system is restored.

Running the RESQ.EXE self extracting archive will open the files to a floppy or to a directory of your choice. If the 'Unzip' option is selected, then the extraction of the files will be followed by the running of the MakeResQ utility that will transfer the system files to the floppy and make it bootable, as well as copying the XMS and RAMDRIVE drivers to the floppy. MakeResQ will also create a:\config.sys that will load the two drivers when booting from the floppy. MakeResQ will only run under Windows 95, 98 or ME, but not under NT, Win2000. Note that you need to run the procedure under Windows 98 or ME in order to have FAT-32 supported. The floppy on which you prepare the RESQ should be formatted, and empty.

Finally, install your ResQpro personal license to the floppy. You'll also need IVZ.EXE on the floppy, from the InVircible antivirus package. You are now all set to start with act