CIH (computer virus)

Last updated February 01, 2024

CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows 9x computer virus that first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives and, in some cases, destroying the system BIOS. The virus was created by Chen Ing-hau (陳盈豪, pinyin: Chén Yíngháo), a student at Tatung University in Taiwan.^[1] It was believed to have infected sixty million computers internationally, resulting in an estimated NT$ 1 billion (US$ 35,801,231.56) in commercial damages.^[1]

Chen claimed to have written the virus as a challenge against bold claims of antiviral efficiency by antivirus software developers.^[2] Chen stated that after classmates at Tatung University spread the virus, he apologized to the school and made an antivirus program available for public download. Weng Shi-hao (翁世豪), a student at Tamkang University, co-authored with the antivirus program.^[2] Prosecutors in Taiwan could not charge Chen at the time because no victims came forward with a lawsuit.^[3] Nevertheless, these events led to new computer crime legislation in Taiwan.^[2]

The name "Chernobyl Virus" was coined sometime after the virus was already well known as CIH and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus creation date in 1998, to trigger exactly a year later) and the Chernobyl disaster, which happened in the Soviet Union on April 26, 1986.^[4]

The name "Spacefiller" was introduced because most viruses write their code to the end of the infected file, with infected files being detectable because their file size increases. In contrast, CIH looks for gaps in the existing program code, where it then writes its code, preventing an increase in file size; in that way, the virus avoids detection.^[4]

History

The virus first emerged in 1998. In March 1999, several thousand IBM Aptivas shipped with the CIH virus,^[5] just one month before the virus would trigger. In July 1999, copies of remote administration tool Back Orifice 2000 given out to DEF CON 7 attendees were discovered by the organizers to have been infected with CIH.^[6] On December 31, 1999, Yamaha shipped a software update to their CD-R400 drives that was infected with the virus. In July 1998, a demo version of the first-person shooter game SiN was infected by one of its mirror sites.^[7]

CIH's dual payload was delivered for the first time on April 26, 1999, with most of the damage occurring in Asia.^[8] CIH filled the first 1024 KB of the host's boot drive with zeros and then attacked certain types of BIOS. Both of these payloads served to render the host computer inoperable, and for most ordinary users, the virus essentially destroyed the PC. Technically, however, it was possible to replace the BIOS chip, and methods for recovering hard disk data emerged later.

Today, CIH is not as widespread as it once was, due to awareness of the threat and the fact that it only affects older Windows 9x (95, 98, ME) operating systems.

The virus made another comeback in 2001 when a variant of the LoveLetter Worm in a VBS file that contained a dropper routine for the CIH virus was circulated around the internet under the guise of a nude picture of Jennifer Lopez.

A modified version of the virus called CIH.1106 was discovered in December 2002, but it is not widespread and only affects Windows 9x-based systems.^[9]

Virus specifics

CIH spreads under the Portable Executable file format under the Windows 9x-based operating systems, Windows 95, 98, and ME. CIH does not spread under Windows NT-based operating systems nor Win16-based operating systems such as Windows 3.x or below. ^[10]

CIH infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned CIH another name, "Spacefiller". The size of the virus is around 1 kilobyte, but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processor ring 3 to 0 to hook system calls.

The payload, which is considered extremely dangerous, first involves the virus overwriting the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector 0. This deletes the contents of the partition table, and may cause the machine to hang or cue the blue screen of death.

The second payload tries to write to the Flash BIOS. BIOSes that can be successfully written to by the virus have critical boot-time codes replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on the Intel 430TX chipset, but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines and has only one write-enable sequence.

For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition is FAT32, and over about one gigabyte, all that will get overwritten is the MBR, the partition table, the boot sector of the first partition and the first copy of the FAT of the first partition. The MBR and boot sectors can simply be replaced with copies of the standard versions; the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy. This means a complete recovery with no loss of user data can be performed automatically by a tool like Fix CIH.

If the first partition is not FAT32 or is smaller than 1 GB, the bulk of user data on that partition will still be intact, but without the root directory and FAT it will be difficult to find it, especially if there is significant fragmentation.

If the second payload executes successfully, the computer will not start at all. Reprogramming or replacement of the Flash BIOS chip is then required, as most systems that CIH can affect predate BIOS restoration features.

Variants

Moniker	Description
CIH v1.2/CIH.1003	This variant is the most common one and activates on April 26. It contains the string: CIH v1.2 TTIT
CIH v1.3/CIH.1010.A and CIH1010.B	This variant also activates on April 26. It contains the string: CIH v1.3 TTIT
CIH v1.4/CIH.1019	This variant activates on the 26th of any month. It contains the string CIH v1.4 TATUNG.
CIH.1049	This variant activates on August 2 instead of April 26.

Related Research Articles

In computing, BIOS is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The BIOS firmware comes pre-installed on an IBM PC or IBM PC compatible's system board and exists in some UEFI-based systems to maintain compatibility with operating systems that do not support UEFI native operation. The name originates from the Basic Input/Output System used in the CP/M operating system in 1975. The BIOS originally proprietary to the IBM PC has been reverse engineered by some companies looking to create compatible systems. The interface of that original system serves as a de facto standard.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Disk partitioning or disk slicing is the creation of one or more regions on secondary storage, so that each region can be managed separately. These regions are called partitions. It is typically the first step of preparing a newly installed disk, before any file system is created. The disk stores the information about the partitions' locations and sizes in an area known as the partition table that the operating system reads before any other part of the disk. Each partition then appears to the operating system as a distinct "logical" disk that uses part of the actual disk. System administrators use a program called a partition editor to create, resize, delete, and manipulate the partitions. Partitioning allows the use of different filesystems to be installed for different kinds of files. Separating user data from system data can prevent the system partition from becoming full and rendering the system unusable. Partitioning can also make backing up easier. A disadvantage is that it can be difficult to properly size partitions, resulting in having one partition with too much free space and another nearly totally allocated.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

A boot sector is the sector of a persistent data storage device which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Windows 9x is a generic term referring to a series of Microsoft Windows computer operating systems produced from 1995 to 2000, which were based on the Windows 95 kernel and its underlying foundation of MS-DOS, both of which were updated in subsequent versions. The first version in the 9x series was Windows 95, which was succeeded by Windows 98 and then Windows Me, which was the third and last version of Windows on the 9x line, until the series was superseded by Windows XP.

ESET NOD32 Antivirus, commonly known as NOD32, is an antivirus software package made by the Slovak company ESET. ESET NOD32 Antivirus is sold in two editions, Home Edition and Business Edition. The Business Edition packages add ESET Remote Administrator allowing for server deployment and management, mirroring of threat signature database updates and the ability to install on Microsoft Windows Server operating systems.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

Blackworm is an Internet worm discovered on January 20, 2006 that infects several versions of Microsoft Windows. It is also known as Grew.a, Grew.b, Blackmal.e, Nyxem.e, Nyxem.d, Mywife.d, Tearec.a, CME-24, and Kama Sutra.

CTX is a computer virus created in Spain in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

<span class="mw-page-title-main">Stoned (computer virus)</span> Computer virus

Stoned is a boot sector computer virus created in 1987. It is one of the first viruses and is thought to have been written by a student in Wellington, New Zealand. By 1989 it had spread widely in New Zealand and Australia, and variants became very common worldwide in the early 1990s.

The Linux booting process involves multiple stages and is in many ways similar to the BSD and other Unix-style boot processes, from which it derives. Although the Linux booting process depend very much on the computer architecture, those architectures share similar stages and software components, including system startup, bootloader execution, loading and startup of a Linux kernel image, and execution of various startup scripts and daemons. Those are grouped into 4 steps: system startup, bootloader stage, kernel stage, and init process. When a Linux system is powered up or reset, its processor will execute a specific firmware/program for system initialization, such as Power-on self-test, invoking the reset vector to start a program at a known address in flash/ROM, then load the bootloader into RAM for later execution. In personal computer (PC), not only limited to Linux-distro PC, this firmware/program is called BIOS, which is stored in the mainboard. In embedded Linux system, this firmware/program is called boot ROM. After being loaded into RAM, bootloader will execute to load the second-stage bootloader. The second-stage bootloader will load the kernel image into memory, decompress and initialize it then pass control to this kernel image. Second-stage bootloader also performs several operation on the system such as system hardware check, mounting the root device, loading the necessary kernel modules,... Finally, the very first user-space process starts, and other high-level system initializations are performed.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Win32/Patched is a computer Trojan targeting the Microsoft Windows operating system that was first detected in October 2008. Files detected as "Trojan.Win32.Patched" are usually Windows components that are patched by a malicious application. The purpose of patching varies. For example, certain malware patches system components in order to disable security, such as the Windows Safe File Check feature. Other malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code.

References

1 2 "從CIH「重裝駭客」變身「除錯超人」". iThome online (in Chinese). 2006-08-25. Archived from the original on 2013-04-17.
1 2 3 "從駭電腦到愛旅行─昔日網路小子陳盈豪 - 親子天下雜誌8期 - 陳盈豪,網路世界,宅男,網路沉迷". parenting.com.tw (in Chinese). 2013-06-07. Archived from the original on 2013-06-07.
↑ "打擊駭客，不再無法可施 - 安全常識 - 法務部行政執行署嘉義分署" (in Chinese). 行政執行署嘉義行政執行處. 2005-12-10. Archived from the original on 2013-10-29.{{cite web}}: CS1 maint: unfit URL (link)
1 2 "What is the Chernobyl Virus? (with pictures)". Easy Tech Junkie. Retrieved 2023-02-16.
↑ Weil, Nancy (1999-04-07). "Some Aptivas shipped with CIH virus". CNN. Archived from the original on 2007-01-04.
↑ "Back Orifice CDs infected with CIH virus - Tech News on ZDNet". news.zdnet.com. July 14, 1999. Archived from the original on 2007-03-11.
↑ "US Report: Gamers believe Activision's 'SiN' carries CIH virus". ZDNet.co.uk. 28 Jul 1998. Archived from the original on 2009-04-17.
↑ Lemos, Robert (May 25, 1999). "Is the CIH virus on the endangered list?".
↑ "Virus:DOS/CIH". F-Secure Labs. Archived from the original on 2001-01-28. Retrieved 2021-12-07.
↑ "Virus:DOS/CIH | F-Secure Labs". www.f-secure.com. Retrieved 2023-11-05.

External links

F-Secure CIH Database
F-Secure CIH Technical Page
Symantec CIH Technical Page
News article about the Jennifer Lopez e-mail
FIX-CIH - Site by Steve Gibson on how to repair most of the damage from CIH
CIH 1.4 source code

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[ithome-1] 1 2 "從CIH「重裝駭客」變身「除錯超人」". iThome online (in Chinese). 2006-08-25. Archived from the original on 2013-04-17.

[parenting-2] 1 2 3 "從駭電腦到愛旅行─昔日網路小子陳盈豪 - 親子天下雜誌8期 - 陳盈豪,網路世界,宅男,網路沉迷". parenting.com.tw (in Chinese). 2013-06-07. Archived from the original on 2013-06-07.

[3] "打擊駭客，不再無法可施 - 安全常識 - 法務部行政執行署嘉義分署" (in Chinese). 行政執行署嘉義行政執行處. 2005-12-10. Archived from the original on 2013-10-29.{{cite web}}: CS1 maint: unfit URL (link)

[auto-4] 1 2 "What is the Chernobyl Virus? (with pictures)". Easy Tech Junkie. Retrieved 2023-02-16.

[5] Weil, Nancy (1999-04-07). "Some Aptivas shipped with CIH virus". CNN. Archived from the original on 2007-01-04.

[6] "Back Orifice CDs infected with CIH virus - Tech News on ZDNet". news.zdnet.com. July 14, 1999. Archived from the original on 2007-03-11.

[7] "US Report: Gamers believe Activision's 'SiN' carries CIH virus". ZDNet.co.uk. 28 Jul 1998. Archived from the original on 2009-04-17.

[8] Lemos, Robert (May 25, 1999). "Is the CIH virus on the endangered list?".

[9] "Virus:DOS/CIH". F-Secure Labs. Archived from the original on 2001-01-28. Retrieved 2021-12-07.

[10] "Virus:DOS/CIH | F-Secure Labs". www.f-secure.com. Retrieved 2023-11-05.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]