Fandom

Malware Wiki

CIH

1,345pages on
this wiki
Add New Page
Comments2 Share

Virus.Win9x.CIH or CIH, also known as Chernobyl or Spacefiller, is a virus on Microsoft Windows that infects Windows 95, 98 and ME.

It was first discovered on June 25, 1998 in Taiwan. According to the Taipei authorities, Chen Ing Hau wrote the CIH virus. The name of the virus derived from his initials. It did most of its damage within a few months of ExploreZip and Melissa's appearance. Contrary to the popular belief, the payload trigger date was not based off of Chernobyl nuclear disaster date.

Behavior

When a CIH-infected file is executed on a system, the virus becomes resident, as it infects every executable file accessed. The files infected by CIH may have the same size as the original files, due to the unique infection mode of CIH, the virus searches for empty, unused spaces in the file. Next, it breaks itself up into smaller pieces and inserts its code into these unused spaces. Due to this, without running a disabling utility, a single virus scan can infect multiple files in the system.

CIH has two payloads which activate on April 26. The first payload overwrites the master boot record making the OS unbootable, as it starts writing data at sector 0; By using an infinite loop which causes the system to hang, this forces the user to hard-reset their system. The second payload nearly shares its traits with Kriz, Magistr, and Bumerang - it attempts to cause damage to the computer's BIOS. This is done by flashing the BIOS, where it rewrites data with random characters, making the BIOS nonfunctional. As a result, nothing may be displayed when the user starts the computer. However, If the motherboard does not support the second payload (for example, the processor is newer Pentium or newer like Pentium Pro, 2, 3, 4, or up) or if the BIOS write-protect jumper is enabled on the motherboard, then the second payload will fail and the computer will complete its power on self test normally, but since CIH overwrote the Master Boot Record, Windows will fail to boot.

If however, attempting to execute CIH on a Virtual Machine will lead no damage to the host's PC. The payload in which overwrites the BIOS will not function in a Virtual Machine, but the MBR payload will execute.

CIH will only work on Windows 95, 98 or ME, and will not work on NT based kernels, such as Windows 2000, onward. The reason for this is because NT Kernels doesn't allow applications to have direct access to the hardware's configurations, as in Windows 95, 98 and ME allows applications to have direct access to the hardware's configurations.

Removal

Fix-CIH is able to reconstruct the hard drive if the second payload fails. The user must boot from a Windows Boot CD and run this utility. Results will vary on system. After the tool finishes, before the user reboots the system, the date must be set to (far away) before the payload activation to prevent the payload happening again on reboot.

Kill-CIH attempts to restore infected files with its original copies. Some files require you to be replaced in DOS mode as some files are being used in Windows.

If not all files are cleaned, the user can either delete the unneeded infected files or boot into a Windows Boot CD and copy the files in the drive to overwrite the infected one.

Using Windows' Find application to search for the "*.vir" extension, the user may choose to delete files.

Run a virus scan once again to check if the computer is CIH free.

Effects

In South Korea, it was estimated that as many as one million computers were affected, resulting in more than $250 million in damages. Computers at Boston College were infected and some were destroyed, many losing their information just before their final exams. 200 computers in Singapore and 100 in Hong Kong were infected with the virus, along with many others around the world. Ten major companies in India were also affected by the virus.

The virus first spread through pirated software in the summer of 1998. At least four pirate groups were infected during that summer. There were also unconfirmed reports that the virus appeared in a "PWA-cracked copy" of Windows 98.

From summer of 1998 to spring of 1999, several companies unintentionally released infected software. Origin systems released a download related to its "Wing Commander" game which was infected. Three gaming magazines from Europe shipped CDs infected with the CIH and one even reportedly included a note informing users about the virus and suggesting they disinfect their computers after using the CD. Yamaha shipped an infected firmware upgrade for their CD-R400 drives. IBM Aptiva computers came with the virus pre-installed in 1999 March.

Name

CIH takes its name from the initials of Chen Ing-Hau, its creator. Its other popular name, Chernobyl comes largely from its payload trigger date, April 26, the same date as the Chernobyl nuclear disaster. It may have been used frequently by the press, as a reference to an infamous disaster would probably have greater dramatic effect in a news report than three initials.

Antivirus Aliases

  • Virus Encyclopedia full name:
  • Avast!: Win95:CIH
  • Avira: W95/CIH.A
  • ClamAV: CIH.2
  • Doctor Web: Win95.CIH.1003
  • Eset: Win95/CIH
  • F-Prot: W32/CIH.1019.A
  • Grisoft: Win32/CIH
  • Kaspersky Lab: Virus.Win9x.CIH also known as: Win95.CIH
  • McAfee: W95/CIH.1019a
  • Panda: W95/CIH
  • RAV: Win95/CIH.1003
  • Bitdefender: Win95.CIH.Gen
  • Sophos: W95/CIH-10xx
  • Symantec: W95.CIH
  • Trend Micro: PE_CIH.1003
  • Vexira: Win95.CIH

Other Facts

Some have expressed skepticism over the virus's ability to destroy a computer's BIOS. There were no confirmed cases of a BIOS being destroyed as a result of CIH. One virus expert even speculated that the reports of BIOS corruption or destruction was a ploy to get people to discard perfectly good computers in order for them to be resold by black market dealers. He also speculated that many alleged victims of the virus, all too eager to get rid of old computers, blamed the virus for minor problems and told the management that they needed new equipment. The reported costs of damage may have actually been in new computers and software rather than repairs and lost work/time.

The Payload Trigger, April 26 1999, was thought to commemorate the Chernobyl disaster. It actually coincides with Chen's Birthday.

Variants of this virus have come out as late as 2002. One variant released in 2001 was attached with a VBS script that used social engineering in the form of promising a picture of Jennifer Lopez to encourage the user to open it.

  • CIH v1.2/CIH.1103: Activates on April 26, contains string CIH v1.2 TTIT
  • CIH v1.3/CIH.1010A and CIH1010.B: CIH v1.2 with string CIH v1.3 TTIT
  • CIH v1.4/CIH.1019: Activates on the 26th of any month.
  • CIH.1049: Activates on August 2

A Worm version of CIH also exists, called Bumerang. Although Bumerang has a latency period between infection and payload, it attacks entire networks in an equally destructive manner.

Sources

MSNBC. ZDnet, CIH Virus Finds New Victims. 1999.04.26

Motoaki Yamamura. Symantec.com W95.CIH

Greg Sandoval, CNet. ZDNet, Virus Dresses up as Naked Jennifer Lopez. 2001.06.01

Thor Olavsrud. InternetNews, Promises of Jennifer Lopez Nude Deliver Destructive Virus 2001.06.01

Rob Rosenberger. Vmyths.com, 'The mother of all viruses,' part 2. 1998.08.15

-.-, Another urban legend in the making. 1999.04.29

F-Secure Antivirus, CIH

Videos

A Better Explanation of "dat cih"07:40

A Better Explanation of "dat cih"

W95 CIH virus on Windows 98 with Dual BIOS08:04

W95 CIH virus on Windows 98 with Dual BIOS

Video from Spoiledin03:11

Video from Spoiledin.CIH Destroying a Physical Computer

Virus.WIn9x02:01

Virus.WIn9x.CIH CIH Windows Virus-0

Virus.Win9x.CIH

Virus.Win9x05:35

Virus.Win9x.CIH - removal process

Virus.Win9x05:07

Virus.Win9x.CIH Destroying a Physical Computer

CIH virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.