It was first discovered on June 25th, 1998 in Taiwan. According to the Taipei authorities, Chen Ing-Hau wrote the CIH virus in which its name was derived from his initials. It did most of its damage within a few months of ExploreZip and Melissa's appearance. Contrary to popular belief, the payload trigger date was not based off of the Chernobyl nuclear disaster date.
When a CIH-infected file is executed on a system, the virus becomes resident as it infects every executable file that is accessed. It will gain Ring 0 access, and it will become a VxD driver, with SYSTEM privileges, by allocating one page of memory (1 KB, "VMMCALL _PageAllocate" function). It will use the function "IFSMgr_InstallFileSystemApiHook", thus hooking every file operation. The files infected by CIH may have the same size as the original files due to how it infects files in its own unique method - the virus searches for empty unused spaces in the file.
Next, it breaks itself up into smaller pieces and inserts its code into these unused spaces instead of either the start or the end of the file. Every virus-infected space is linked to another one with JMPs istructions. Due to this, without running a disabling utility, a single virus scan can infect multiple files in the system, and thus spreading quickly.
The virus has two payloads in which both of them activate on April 26 of any year. The first payload overwrites the master boot record, making the operating system unbootable, as it starts writing data at sector 0; by making use of an infinite loop which causes the system to hang, this forces the user to hard-reset their system. This payload uses the VxD function "IOS_SendCommand", used with specially crafted parameters. The second payload nearly shares its traits from other viruses such as Kriz, Magistr, and Bumerang - it attempts to cause damage to the BIOS of the computer. This is done by flashing the BIOS, where it rewrites data with random characters, making the BIOS nonfunctional. As a result, nothing may be displayed when the user starts the computer. However, if the motherboard does not support the second payload (for example, the processor is newer Pentium (like Pentium Pro, 2, 3, 4, or up) or if the BIOS write-protect jumper is enabled on the motherboard, then the second payload will fail and the computer will complete its power on self test normally, but since CIH overwrote the Master Boot Record, Windows will fail to boot.
However, if the virus is attempted to execute in a virtual machine, it will lead no damage to the host computer. The payload which overwrites the BIOS will not function in a virtual machine, but the MBR payload will execute.
CIH will only work on operating systems making use of DOS-based kernels such as Windows 95, 98 or ME, and will not work on those making use of NT-based kernels such as Windows 2000 onward. It is due to NT-based kernels not allowing applications to have direct access to hardware configurations, while DOS-based kernels allowing applications to have direct access to them. However, there might be a chance of the BIOS being destroyed.
Fix-CIH is able to reconstruct the hard drive if the second payload fails. The user must boot from a Windows Boot Compact Disc and run this utility. Results will vary on system. After the tool finishes, before the user reboots the system, the date must be set before the payload activation, which is April 26 of any year, in order to prevent the payload from happening again on reboot.
Kill-CIH attempts to restore infected files with its original copies. Some files require the user to be replaced in DOS mode as some of these files are being used in the operating system.
If not all files are cleaned, the user can either delete the unnecessary infected files or boot into a Windows Boot Compact Disc and copy these files in the drive in order to overwrite the infected ones.
The user may also choose to delete files by making use of the Find application in order to search for the .vir file extension.
Finally, run a virus scan once again in order to make sure that the computer is CIH-free.
In South Korea, it was estimated that as many as one million computers were affected, resulting in more than 250 million dollars in damages. Most computers at Boston College were infected and some were destroyed, many losing their information just before their final examinations. 200 computers in Singapore and 100 in Hong Kong were infected with the virus, along with many others around the world. Ten major companies in India were also affected by the virus.
The virus first spread through pirated software in the summer of 1998 when at least four pirate groups were also infected. There were also unconfirmed reports that the virus appeared in a "PWA-cracked copy" of Windows 98.
From summer of 1998 to spring of 1999, several companies unintentionally released software infected by the virus. A video game company known as Origin Systems unintentionally released an infected download related to its Wing Commander game. Three gaming magazines from Europe shipped compact discs infected with the virus and one even reportedly included a note informing users about the virus and suggesting that they must disinfect their computers after using the compact disc. Yamaha shipped an infected firmware upgrade for their CD-R400 drives. IBM Aptiva computers came with the virus pre-installed in March 1999.
CIH takes its name from the initials of its author, Chen Ing-Hau. Its other popular name, which is Chernobyl, comes largely from its payload trigger date, April 26, which is the same date as the Chernobyl nuclear disaster. The name may have been used frequently by the press, as a reference to an infamous disaster would probably have greater dramatic effect in a news report than three initials.
- Avast!: Win95:CIH
- Avira: W95/CIH.A
- ClamAV: CIH.2
- Dr. Web: Win95.CIH.1003
- ESET NOD32: Win95/CIH
- F-Prot: W32/CIH.1019.A
- Grisoft: Win32/CIH
- Kaspersky Lab: Virus.Win9x.CIH also known as: Win95.CIH
- McAfee: W95/CIH.1019a
- Panda: W95/CIH
- RAV: Win95/CIH.1003
- Bitdefender: Win95.CIH.Gen
- Sophos: W95/CIH-10xx
- Symantec: W95.CIH
- Trend Micro: PE_CIH.1003
- Vexira: Win95.CIH
Some people have expressed skepticism over the ability of the virus to destroy a BIOS of a computer, There are currently two confirmed reports of a BIOS being destroyed as a result of the virus, none of them being in the wild: one researcher managed to get the virus to destroy one in a lab test, and YouTuber danooct1 has uploaded a video of the BIOS payload in action. One virus expert even speculated that the reports of BIOS corruption or destruction was a plan in order to get people to discard perfectly good computers for them to be resold by black market dealers. He also speculated that many alleged victims of the virus, all too eager to get rid of old computers, blamed the virus for minor problems and told the management that they needed new equipment. The reported costs of damage may have actually been in new computers and software rather than repairs and lost work or time.
The date of the payload trigger, which is April 26, was thought to commemorate the Chernobyl nuclear disaster. It actually coincides with the birth date of the author.
Variants of this virus have come out as late as 2002. One variant released in 2001 was attached with a VBS script that used social engineering in the form of promising a picture of Jennifer Lopez in order to encourage the user to open it. Other variants include:
- CIH v1.2/CIH.1103 activates on April 26, containing strings CIH v1.2 TTIT
- CIH v1.3/CIH.1010.A and CIH.1010.B are similar to the previous variant, but with strings CIH v1.3 TTIT
- CIH v1.4/CIH.1019 activates on the 26th of any month
- CIH.1049 activates on August 2 of any year
A worm variant of the virus also exists, which is called Bumerang. Although Bumerang has a latency period between infection and payload, it attacks entire networks in an equally destructive manner.
- Wikipedia Article, https://en.wikipedia.org/wiki/CIH_(computer_virus)
- MSNBC. ZDnet, CIH Virus Finds New Victims. 1999.04.26
- Motoaki Yamamura. Symantec.com W95.CIH
- Greg Sandoval, CNet. ZDNet, Virus Dresses up as Naked Jennifer Lopez. 2001.06.01
- Thor Olavsrud. InternetNews, Promises of Jennifer Lopez Nude Deliver Destructive Virus 2001.06.01
- Rob Rosenberger. Vmyths.com, 'The mother of all viruses,' part 2. 1998.08.15
- -.-, Another urban legend in the making. 1999.04.29
- F-Secure Antivirus, CIH