It was first discovered on June 25th, 1998 in Taiwan. According to the Taipei authorities, an individual named Chen Ing-Hau wrote this malware. It did most of its damage within a few months of ExploreZip and Melissa's appearance. Contrary to popular belief, the payload trigger date was not based off of the Chernobyl nuclear disaster date.
When a CIH-infected file is executed on a system, the virus becomes resident as it infects every executable file that is accessed. It will register itself as a driver to avoid easy disinfection methods. The files infected by CIH often have the same size as the uninfected copy due to how it infects files - the virus first searches for continuous blocks of empty or unused space in the file large enough to hold its code (hence the nickname Spacefiller.) If no suitable amount of space is found, CIH will retry the search, but look for enough total space to hold its code in certain size chunks. If this check also fails, it will perform common infection behavior (append itself to the end of the file, add a jump to the appended code at the very beginning of the file.)
As CIH hooks all file access methods (aside from raw disk access,) if one runs antivirus software and performs a scan, all EXEs on the system that are scanned are infected. Some AV products, such as ClamWin, may take long enough to examine EXEs that CIH will have finished infecting the file before ClamWin moves on to the next file, leading to a scan suddenly finding every EXE on the system to be infected.
The virus has two payloads, and both of them activate on April 26 of any year. The first payload overwrites the Master Boot Record, the partition table and the file allocation table. The second payload attempts to overwrite the computer's BIOS. As a result, on subsequent startups hardware is never initialized and an OS is never looked for, so the computer is rendered unusable until either the BIOS chip is physically replaced with a compatible, working BIOS chip or the motherboard is replaced. However, if the motherboard does not support the second payload, a hardware incompatibility is present (for example, some processors do not support this behavior, mainly some Pentium 2 and 3 CPUs and all Pentium 4 and higher processors) or if the BIOS write-protect jumper is enabled on the motherboard, then the second payload will fail and the computer will be able to boot after Windows is either recovered or reinstalled.
NOTE: As virtual machines virtualize an entire computer, CIH cannot break out of modern VM software (aside from older versions of 86box, to a limited extent) and therefore cannot infect or otherwise damage a physical machine when run in a VM.
CIH only runs properly on Win9x-based OSes, as WinNT-based OSes do not have the lax security required for the malware to access hardware at a low level. However, CIH may still be able to infect files on some older NT-based OSes (and possibly ReactOS.)
Fix-CIH is able to undo damage done to a Windows installation in some situations. This would allow you to access your files, however this program does not disinfect a system. Care should be taken to not reactivate the payload after running this program.
Kill-CIH attempts to restore infected files to their original states by removing known pieces of CIH from EXEs. It is recommended that this utility be run from an MS-DOS boot disc or a Windows Boot or Setup Disc, as files may not be able to be cleaned if Windows is using them.
If not all files are able to be cleaned, the user can either delete the infected files or boot from a Windows Setup disc and copy clean files from said disc on top of the infected ones.
Finally, run a virus scan once again in order to ensure that the computer is CIH-free.
In South Korea, it was estimated that as many as one million computers were affected, resulting in more than 250 million dollars in damages. Most computers at Boston College were infected and some were destroyed. Many students lost their information just before their final examinations. 200 computers in Singapore and 100 in Hong Kong were infected with the virus, along with many others around the world. Ten major companies in India were also affected by the virus.
The virus first spread through pirated software in the summer of 1998 when at least four pirate groups were infected. There were also unconfirmed reports that the virus appeared in a "PWA-cracked copy" of Windows 98.
From summer of 1998 to spring of 1999, several companies unintentionally released software infected by the virus. A video game company known as Origin Systems unintentionally released an infected download related to its Wing Commander game. Three gaming magazines from Europe shipped compact demo discs infected with the virus and one even reportedly included a note informing users about the virus and suggesting that they must disinfect their computers after using the compact disc. Yamaha shipped an infected firmware upgrade for their CD-R400 drives. IBM Aptiva computers came with the virus pre-installed in March 1999.
CIH takes its name from both the initials of its author, Chen Ing-Hau, and from comments left in some EXEs upon infection. Its other popular name, Chernobyl, comes largely from its payload trigger date, April 26, which is the same date as the Chernobyl nuclear disaster. The name may have been used frequently by the press, as a reference to an infamous disaster would probably have greater dramatic effect in a news report than three initials.
The name Spacefiller comes from the virus' primary infection behavior of injecting its code in empty space in EXEs. This behavior is meant to help hide its presence, as infections may be noticed if file sizes suddenly change.
- Avast!: Win95:CIH
- Avira: W95/CIH.A
- ClamAV: CIH.2
- Dr. Web: Win95.CIH.1003
- ESET NOD32: Win95/CIH
- F-Prot: W32/CIH.1019.A
- Grisoft: Win32/CIH
- Kaspersky Lab: Virus.Win9x.CIH
- McAfee: W95/CIH.1019a
- Panda: W95/CIH
- RAV: Win95/CIH.1003
- Bitdefender: Win95.CIH.Gen
- Sophos: W95/CIH-10xx
- Symantec: W95.CIH
- Trend Micro: PE_CIH.1003
- Vexira: Win95.CIH
- Wikipedia Article, https://en.wikipedia.org/wiki/CIH_(computer_virus)
- MSNBC. ZDnet, CIH Virus Finds New Victims. 1999.04.26
- Motoaki Yamamura. Symantec.com W95.CIH
- Greg Sandoval, CNet. ZDNet, Virus Dresses up as Naked Jennifer Lopez. 2001.06.01
- Thor Olavsrud. InternetNews, Promises of Jennifer Lopez Nude Deliver Destructive Virus 2001.06.01
- Rob Rosenberger. Vmyths.com, 'The mother of all viruses,' part 2. 1998.08.15
- -.-, Another urban legend in the making. 1999.04.29
- F-Secure Antivirus, CIH