CIH
Antivirus intercept message on a Windows 95 system

CIH, also known asChernobyl orSpacefiller, is aMicrosoft Windows 9xcomputer virus that first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives and, in some cases, destroying the systemBIOS. The virus was created by Chen Ing-hau (陳盈豪,pinyin:Chén Yíngháo), a student atTatung University inTaiwan.^[1] It was believed to have infected sixty million computers internationally, resulting in an estimatedNT$1 billion (ca.US$40,000,000) in commercial damages.^[1]

Chen claimed to have written the virus as a challenge against bold claims of antiviral efficiency byantivirus software developers.^[2] Chen stated that after classmates at Tatung University spread the virus, he apologized to the school and made an antivirus program available for public download. Weng Shi-hao (翁世豪), a student atTamkang University, co-authored the antivirus program.^[2] Prosecutors in Taiwan could not charge Chen at the time becauseno victims came forward with a lawsuit.^[3] Nevertheless, these events led to newcomputer crime legislation in Taiwan.^[2]

The name "Chernobyl Virus" was coined sometime after the virus was already well known as CIH and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus creation date in 1998, to trigger exactly a year later) and theChernobyl disaster, which happened in theSoviet Union on April 26, 1986.^[4]

The name "Spacefiller" was introduced because most viruses write their code to the end of the infected file, with infected files being detectable because their file size increases. In contrast, CIH looks for gaps in the existing program code, where it then writes its code, preventing an increase in file size; in that way, the virus avoids detection.^[4]

The virus first emerged in 1998. In March 1999, several thousandIBMAptivas shipped with the CIH virus,^[5] just one month before the virus would trigger. In July 1999, copies ofremote administration toolBack Orifice 2000 given out toDEF CON 7 attendees were discovered by the organizers to have been infected with CIH.^[6] On December 31, 1999,Yamaha shipped a software update to their CD-R400 drives that was infected with the virus. In July 1998, ademo version of thefirst-person shooter gameSin was infected by one of its mirror sites.^[7]

CIH's dual payload was delivered for the first time on April 26, 1999, with most of the damage occurring inAsia.^[8] CIH filled the first 1024KB of the host'sboot drive with zeros and then attacked certain types ofBIOS. Both of these payloads served to render the host computer inoperable, and for most ordinary users, the virus essentially destroyed the PC. Technically, however, it was possible to replace theBIOS chip,^{[citation needed]} and methods for recoveringhard disk data emerged later.^{[citation needed]}

The virus made another comeback in 2001 when a variant of theLoveLetter Worm in aVBS file that contained a dropper routine for the CIH virus was circulated around the internet under the guise of a nude picture ofJennifer Lopez.

A modified version of the virus called CIH.1106 was discovered in December 2002, but it is not widespread and only affects Windows 9x-based systems.^[9]

This sectiondoes notcite anysources. Please helpimprove this section byadding citations to reliable sources. Unsourced material may be challenged andremoved.(October 2021) (Learn how and when to remove this message)

CIH spreads under thePortable Executable file format under the Windows 9x-based operating systems, Windows 95, 98, and ME. CIH does not spread underWindows NT-based operating systems nor Win16-based operating systems such asWindows 3.x or below.^[10]

CIH infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned CIH another name, "Spacefiller". The size of the virus is around 1kilobyte, but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processorring 3 to 0 to hook system calls.

The payload, which is considered extremely dangerous, first involves the virus overwriting the firstmegabyte (1024KB) of thehard drive with zeroes, beginning atsector 0. This deletes the contents of thepartition table, and may cause the machine tohang or cue theblue screen of death.

The second payload tries to write to the FlashBIOS. BIOSes that can be successfully written to by the virus have critical boot-time codes replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on theIntel430TXchipset, but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines and has only one write-enable sequence.

For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition isFAT32, and over about onegigabyte, all that will get overwritten is theMBR, the partition table, theboot sector of the first partition and the first copy of the FAT of the first partition. The MBR and boot sectors can simply be replaced with copies of the standard versions; the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy. This means a complete recovery with no loss of user data can be performed automatically by a tool likeFix CIH.

If the first partition is not FAT32 or is smaller than 1 GB, the bulk of user data on that partition will still be intact, but without theroot directory and FAT it will be difficult to find it, especially if there is significant fragmentation.

If the second payload executes successfully, the computer will not start at all. Reprogramming or replacement of the Flash BIOS chip is then required, as most systems that CIH can affect predate BIOS restoration features.

• Timeline of computer viruses and worms

• Windows file viruses
• Hacking in the 2000s
• Hacking in the 1990s
• Taiwanese inventions

• CS1 Chinese-language sources (zh)
• CS1: unfit URL
• Articles with short description
• Short description is different from Wikidata
• All articles with unsourced statements
• Articles with unsourced statements from May 2024
• Articles needing additional references from October 2021
• All articles needing additional references