cih virus

CIH, also known as Chernobyl or Spacefiller, is a computer virus written by Chen Ing Hau of Taiwan. On September 1998, Yamaha shipped a firmware update to their CD-R400 Drives that was infected with the virus. On October 1998, a demo version of the Activision game SiN that was propagated by users got infected due to contact with an infected file on a certain user's machine. That company's infection came from a group of Aptiva PC's shipped by IBM during March 1999 with the CIH virus pre-installed. The computers were shipped around a month before the CIH payload activated for the first time in the public eye on April 26, 1999. This was a catastrophic event, and an untold number of computers worldwide were affected with their hard drives being over-written with junk and even having their BIOS damaged, preventing the computer from being turned on. By April 26, 2000, much of the damage was happening in Asia, but the virus was not as widespread there. On March 2001, the Anjulie Worm was discovered. It drops CIH v1.2 into the system as part of its payload. Today, CIH is not as widespread as it once was due to awareness of the threat and the fact it only affects older Windows 9x operating systems. The virus made another comeback in 2001 when a variant of the Loveletter Worm in a VBS file containing a dropper routine for the CIH virus was circulated around the internet, disguised as a nude picture of Jennifer Lopez. A modified version of the virus called CIH.1106 was discovered in December 2002, but it is not a serious threat. CIH is considered a threat only if it infects programs used by mass-mailing computer worms, such as Klez, or if the Anjulie Worm comes into play. However, CIH only works on Windows 95, 98, and Windows Me, greatly limiting its effects.

Virus specifics

CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME. CIH does not spread under Windows NT, Windows 2000, or Windows XP. Due to the fact that CIH infects a Portable Executable file, it fills in the gaps of empty space commonly seen in PE files. Hence, that earned CIH another name, "Spacefiller". The size of the virus is 1 kilobyte, but files do not grow at all. It uses methods of jumping from processor ring 3 to 0 to hook system calls. The payload, which is considered extremely dangerous, first involves the virus overwriting the hard drive with junk, beginning at sector 0. This causes the machine to hang, and all data on the machine is lost. The second payload tries to overwrite the Flash BIOS with junk also. This routine will work on machines based on the Intel 430TX chipset, provided that the protection jumper is turned off. The aforementioned chipset allows writing to the Flash BIOS by a computer program. For the first payload, the hard disk can be sent to a company that can recover the data if it is extremely important, or in some cases the drives contents can be recovered using Fix CIH, a freeware program by Steve Gibson. Otherwise, one should run FDISK and repartition and reformat the hard drive. However, if the second payload goes off without a hitch, the computer will not start at all. A technician is required to reprogram or replace the Flash BIOS chip.