Virus.Win9x.CIH or CIH, also known as Chernobyl or Spacefiller, is a virus on Microsoft Windows. It can only affect Windows 9x operating systems and does not affect NT-based operating systems (Windows NT 4.0, 2000, XP and higher).
It was first discovered on June 25, 1998 in Taiwan. According to the Taipei authorities, Chen Ing Hau wrote the CIH virus. The name of the virus derived from his initials. It did most of its damage within a few months of ExploreZip and Melissa's appearance. Contrary to the popular belief, the payload trigger date was not based off of Chernobyl nuclear disaster date.
When a CIH-infected file is executed on a system, the virus becomes resident, it infects every executable file accessed. The files infected by CIH may have the same size as the original files, due to the unique infection mode of CIH. The virus searches for empty, unused spaces in the file. Next, it breaks itself up into smaller pieces and inserts its code into these unused spaces. Due to this, without running a disabling utility, a single virus scan can infect multiple files in the system.
CIH has two payloads which activate on April 26. The first payload overwrites the hard drive with random data, starting at sector 0, using an infinite loop until the system hangs or crashes. This makes it impossible to boot from the hard drive. It may be impossible to recover some of the data on the disk. The second payload nearly shares its traits with Kriz, Magistr, and Bumerang - it tries to cause permanent damage to the computer. This payload attacks the Flash BIOS and tries to corrupt the data stored there by filling them with garbage if the computer supports it via older Pentium-based processors. As a result, nothing may be displayed when the user starts the computer. If the chip-set does not support the second payload (for example, the processor is newer Pentium or up like Pentium Pro, 2, 3, 4, or up) or if the BIOs write protect jumper is enabled on the motherboard, then the second payload will fail and the computer will still be bootable, but almost all data will be removed as the computer will say "Missing operating system" or similar error when booted.
The host files on a computer are safe in virtual machines, but the virtual machine will be damaged and can be rendered unbootable if the second payload succeeds.
The virus can only spread on Windows 9x (95, 98, and ME) systems, and is no longer common as the result. Any other OS will not be affected by this virus, as on April 26, the virus does nothing on infected files.
Fix-CIH is able to reconstruct the hard drive if the second payload fails. The user must boot from a Windows Boot CD and run this utility. Results will vary on system. After the tool finishes, before the user reboots the system, the date must be set to (far away) before the payload activation to prevent the payload happening again on reboot.
Kill-CIH will need to be run from command line. It will be able to deactivate. The user can run a virus scan to fix the remaining files.
If not all files are cleaned, the user can either delete the unneeded infected files or boot into a Windows Boot CD and copy the files in the drive to overwrite the infected one.
Using Find is recommended with "*.vir" then deleting all the files found on the drive.
Run a virus scan again and the system should be completely clean. Set time back to normal. You may then delete the virus if it is still there.
In Korea, it was estimated that as many as one million computers were affected, resulting in more than $250 million in damages. Computers at Boston College were infected and some were destroyed, many losing their information just before their final exams. 200 computers in Singapore and 100 in Hong Kong were infected with the virus, along with many others around the world. Ten major companies in India were also affected by the virus.
The virus first spread through pirated software in the summer of 1998. At least four pirate groups were infected during that summer. There were also unconfirmed reports that the virus appeared in a "PWA-cracked copy" of Windows 98.
From summer of 1998 to spring of 1999, several companies unintentionally released infected software. Origin systems released a download related to its "Wing Commander" game which was infected. Three gaming magazines from Europe shipped CDs infected with the CIH and one even reportedly included a note informing users about the virus and suggesting they disinfect their computers after using the CD. Yamaha shipped an infected firmware upgrade for their CD-R400 drives. IBM Aptiva computers came with the virus pre-installed in 1999 March.
CIH takes its name from the initials of Chen Ing-Hau, its creator. Its other popular name, Chernobyl comes largely from its payload trigger date, April 26, the same date as the Chernobyl nuclear disaster. It may have been used frequently by the press, as a reference to an infamous disaster would probably have greater dramatic effect in a news report than three initials.
- Virus Encyclopedia full name:
- Avast!: Win95:CIH
- Avira: W95/CIH.A
- ClamAV: CIH.2
- Doctor Web: Win95.CIH.1003
- Eset: Win95/CIH
- F-Prot: W32/CIH.1019.A
- Grisoft: Win32/CIH
- Kaspersky Lab: Virus.Win9x.CIH also known as: Win95.CIH
- McAfee: W95/CIH.1019a
- Panda: W95/CIH
- RAV: Win95/CIH.1003
- Bitdefender: Win95.CIH.Gen
- Sophos: W95/CIH-10xx
- Symantec: W95.CIH
- Trend Micro: PE_CIH.1003
- Vexira: Win95.CIH
Some have expressed skepticism over the virus's ability to destroy a computer's BIOS. There were no confirmed cases of a BIOS being destroyed as a result of CIH. One virus expert even speculated that the reports of BIOS corruption or destruction was a ploy to get people to discard perfectly good computers in order for them to be resold by black market dealers. He also speculated that many alleged victims of the virus, all too eager to get rid of old computers, blamed the virus for minor problems and told the management that they needed new equipment. The reported costs of damage may have actually been in new computers and software rather than repairs and lost work/time.
The Payload Trigger, April 26 1999, was thought to commemorate the Chernobyl disaster. It actually coincides with Chen's Birthday.
Variants of this virus have come out as late as 2002. One variant released in 2001 was attached with a VBS script that used social engineering in the form of promising a picture of Jennifer Lopez to encourage the user to open it.
- CIH v1.2/CIH.1103: Activates on April 26, contains string CIH v1.2 TTIT
- CIH v1.3/CIH.1010A and CIH1010.B: CIH v1.2 with string CIH v1.3 TTIT
- CIH v1.4/CIH.1019: Activates on the 26th of any month.
- CIH.1049: Activates on August 2
A Worm version of CIH also exists, called Bumerang. Although Bumerang has a latency period between infection and payload, it attacks entire networks in an equally destructive manner.
MSNBC. ZDnet, CIH Virus Finds New Victims. 1999.04.26
Motoaki Yamamura. Symantec.com W95.CIH
Greg Sandoval, CNet. ZDNet, Virus Dresses up as Naked Jennifer Lopez. 2001.06.01
Thor Olavsrud. InternetNews, Promises of Jennifer Lopez Nude Deliver Destructive Virus 2001.06.01
Rob Rosenberger. Vmyths.com, 'The mother of all viruses,' part 2. 1998.08.15
-.-, Another urban legend in the making. 1999.04.29
F-Secure Antivirus, CIH