Cih

CIH

Type	File virus
Creator	Chen Ing Hau
Date Discovered	1998.06.25
Place of Origin	Taipei, Taiwan
Source Language	Assembly
Platform	Windows 9x
File Type(s)	.exe
Infection Length	1,000 Bytes
Reported Costs	$250,000,000

The CIH virus, also known as Chernobyl or Spacefiller, was first discovered in 1998 June in Taiwan. According to the Taipei authorities, Chen Ing-hau wrote the CIH virus. The name of the virus derived from his initials. It did most of its damage within a few months of Explorezip and Melissa's appearance. Contrary to the popular belief, the payload trigger date had nothing to do with the Chernobyl nuclear disaster.

Table of Contents

Behavior

CIH destroying a computer

When a CIH-infected file is executed on a system, the virus becomes resident. It installs itself as a device driver, jumping from the application level Ring 3 to system kernel level ring 0 and installing itself as a VxD driver by patching the protected mode Interrupt Description Table. It then allocates a block of system memory to copy its code there, intercepts the installable file system API Windows calls, returns back to Ring 3 and jumps to the host program's code.

It infects every executable file accessed. The files infected by CIH may have the same size as the original files, due to the unique infection mode of CIH. The virus searches for empty, unused spaces in the file. Next, it breaks itself up into smaller pieces and inserts its code into these unused spaces.

CIH has two payloads which activate on April 26. The first payload overwrites the hard drive with random data, starting at sector 0, using an infinite loop until the system crashes. This makes it impossible to boot from the hard drive. It may be impossible to recover some of the data on the disk. The second payload tries to cause permanent damage to the computer. This payload attacks the Flash BIOS and tries to corrupt the data stored there. As a result, nothing may be displayed when the user starts the computer.

The virus can only spread on Windows 95, 98 and ME systems.

Effects

In Korea, it was estimated that as many as one million computers were affected, resulting in more than $250 million in damages. Computers at Boston College were infected and some were destroyed, many losing their information just before their final exams. 200 computers in Singapore and 100 in Hong Kong were infected with the virus, along with many others around the world. Ten major companies in India were also affected by the virus.

The virus first spread through pirated software in the summer of 1998. At least four pirate groups were infected during that summer. There were also unconfirmed reports that the virus appeared in a "PWA-cracked copy" of Windows 98.

From summer of 1998 to spring of 1999 , several companies unintentionally released infected software. Origin systems released a download related to its "Wing Commander" game which was infected. Three gaming magazines from Europe shipped CDs infected with the CIH and one even reportedly included a note informing users about the virus and suggesting they disinfect their computers after using the CD. Yamaha shipped an infected firmware upgrade for their CD-R400 drives. IBM Aptiva computers came with the virus pre-installed in 1999 March.

Name

CIH takes its name from the initials of Chen Ing-Hau, its creator. Its other popular name, Chernobyl comes largely from its payload trigger date, April 26, the same date as the Chernobyl nuclear disaster. It may have been used frequently by the press, as a reference to an infamous disaster would probably have greater dramatic effect in a news report than three initials. Its infection method of filling spaces gave it the less-frequently used name of Spacefiller.

Antivirus Aliases

Avast!: Win95:CIH
Avira: W95/CIH.A
CA:
ClamAV: CIH.2
Doctor Web: Win95.CIH.1003
Eset: Win95/CIH
F-Prot: W32/CIH.1019.A
F-Secure:
Grisoft: Win32/CIH
Kaspersky Lab: Virus.Win9x.CIH also known as: Win95.CIH
McAfee: W95/CIH.1019a
Norman:
Panda: W95/CIH
RAV: Win95/CIH.1003
Bitdefender: Win95.CIH.Gen
Sophos: W95/CIH-10xx
Symantec: W95.CIH
Trend Micro: PE_CIH.1003
Vexira: Win95.CIH

Other Facts

Some had expressed skepticism over the virus's ability to destroy a computer's BIOS, though it was later proven it could. There were no confirmed cases in the wild of a BIOS being destroyed as a result of CIH, however one researcher did manage to get the virus to destroy one in a lab test. Because the virus causes so much destruction before reaching this stage, it would likely be detected and removed or it would destroy itself before it could get that far.

One virus expert even speculated that the reports of BIOS corruption or destruction was a ploy to get people to discard perfectly good computers in order for them to be resold by black market dealers. He also speculated that many alleged victims of the virus, all too eager to get rid of old computers, blamed the virus for minor problems and told the management that they needed new equipment. The reported costs of damage may have actually been in new computers and software rather than repairs and lost work/time.

The Payload Trigger, the 26th of April, was initially thought to commemorate the Chernobyl disaster. It actually coincides with Chen's Birthday.

Variants of this virus have come out as late as 2002. One variant released in 2001 was attached with a VBS script that used social engineering in the form of promising a picture of Jennifer Lopez to encourage the user to open it.

Chen Ing-Hau worked with Weng Shi-hao, a student at Taiwan's Tamkang University to write a disinfection program. Tamkang University is located in Tamsui District, home of another virus though one created at a different university.