CIH (computer virus)
Encyclopedia
CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows
computer virus
written by Chen Ing Hau (陳盈豪, pinyin
: Chén Yíngháo) of Travian
. It is one of the most damaging viruses, overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS
.
The name "Chernobyl Virus" was coined some time after the virus was already well-known as CIH, and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus creation date in 1998, to trigger exactly a year later) and the Chernobyl accident, which happened in the Ukrainian SSR
on April 26, 1986.
update to their CD-R400 drives that was infected with the virus. In October 1998, a demo version of the Activision
game SiN
was infected by one of its mirror sites. In March 1999, several thousand IBM
Aptivas shipped with the CIH virus, just one month before the virus would trigger.
CIH's dual payload was delivered for the first time on April 26, 1999, with most of the damage occurring in Asia
. CIH filled the first 1024 KB of the host's boot drive with zeros and then attacked certain types of BIOS
. Both of these payloads served to render the host computer inoperable, and for laymen the virus essentially destroyed the PC. Technically, however, it was possible to replace the BIOS chip, and methods for recovering hard disk data emerged later.
Today, CIH is not as widespread as it once was, due to awareness of the threat and the fact it only affects older Windows 9x
(95
, 98
, Me
) operating systems.
The virus made another comeback in 2001 when a variant of the LoveLetter Worm
in a VBS
file that contained a dropper routine for the CIH virus was circulated around the internet, under the guise of a nude picture of Jennifer Lopez
.
A modified version of the virus called CIH.1106 was discovered in December 2002, but it is not considered a serious threat.
file format under Windows 95, 98, and ME. CIH does not spread under Windows NT-based operating systems.
CIH infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files, and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned CIH another name, "Spacefiller". The size of the virus is around 1 kilobyte
, but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processor ring
3 to 0 to hook system calls.
The payload, which is considered extremely dangerous, first involves the virus overwriting the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector 0. This deletes the contents of the partition table, and may cause the machine to hang.
The second payload tries to write to the Flash BIOS
. Due to what may be an unintended feature of this code, BIOSes that can be successfully written to by the virus have critical boot-time code replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on the Intel 430TX chipset, but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines, and has only one write-enable sequence.
For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition is FAT32
, and over about one gigabyte
, all that will get overwritten is the MBR
, the partition table, the boot sector
of the first partition and the first copy of the FAT of the first partition. The MBR and boot sector can simply be replaced with copies of the standard versions, the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy. This means a complete recovery with no loss of user data can be performed automatically by a tool like Fix CIH.
If the first partition is not FAT32 or is smaller than 1GB the bulk of user data on that partition will still be intact but without the root directory and FAT it will be difficult to find it especially if there is significant fragmentation.
If the second payload executes successfully, the computer will not start at all. A technician is required to reprogram or replace the Flash BIOS chip, as most systems that CIH can affect predate BIOS restoration features.
It contains the string: CIH v1.2 TTIT.
It contains the string: CIH v1.3 TTIT.
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
written by Chen Ing Hau (陳盈豪, pinyin
Pinyin
Pinyin is the official system to transcribe Chinese characters into the Roman alphabet in China, Malaysia, Singapore and Taiwan. It is also often used to teach Mandarin Chinese and spell Chinese names in foreign publications and used as an input method to enter Chinese characters into...
: Chén Yíngháo) of Travian
Travian
Travian is a massively multiplayer online browser-based strategy game developed by the German software company Travian Games.The game's developers drew roughly from Classical antiquity and particularly from the Roman Empire to create a predominantly militaristic real-time strategy...
. It is one of the most damaging viruses, overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
.
The name "Chernobyl Virus" was coined some time after the virus was already well-known as CIH, and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus creation date in 1998, to trigger exactly a year later) and the Chernobyl accident, which happened in the Ukrainian SSR
Ukrainian SSR
The Ukrainian Soviet Socialist Republic or in short, the Ukrainian SSR was a sovereign Soviet Socialist state and one of the fifteen constituent republics of the Soviet Union lasting from its inception in 1922 to the breakup in 1991...
on April 26, 1986.
History
In September 1998, Yamaha shipped a firmwareFirmware
In electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...
update to their CD-R400 drives that was infected with the virus. In October 1998, a demo version of the Activision
Activision
Activision is an American publisher, majority owned by French conglomerate Vivendi SA. Its current CEO is Robert Kotick. It was founded on October 1, 1979 and was the world's first independent developer and distributor of video games for gaming consoles...
game SiN
SiN
SiN is a computer game first-person shooter based on a modified version of the Quake II engine developed by Ritual Entertainment and published by Activision in late 1998...
was infected by one of its mirror sites. In March 1999, several thousand IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
Aptivas shipped with the CIH virus, just one month before the virus would trigger.
CIH's dual payload was delivered for the first time on April 26, 1999, with most of the damage occurring in Asia
Asia
Asia is the world's largest and most populous continent, located primarily in the eastern and northern hemispheres. It covers 8.7% of the Earth's total surface area and with approximately 3.879 billion people, it hosts 60% of the world's current human population...
. CIH filled the first 1024 KB of the host's boot drive with zeros and then attacked certain types of BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
. Both of these payloads served to render the host computer inoperable, and for laymen the virus essentially destroyed the PC. Technically, however, it was possible to replace the BIOS chip, and methods for recovering hard disk data emerged later.
Today, CIH is not as widespread as it once was, due to awareness of the threat and the fact it only affects older Windows 9x
Windows 9x
Windows 9x is a generic term referring to a series of Microsoft Windows computer operating systems produced since 1995, which were based on the original and later modified Windows 95 kernel...
(95
Windows 95
Windows 95 is a consumer-oriented graphical user interface-based operating system. It was released on August 24, 1995 by Microsoft, and was a significant progression from the company's previous Windows products...
, 98
Windows 98
Windows 98 is a graphical operating system by Microsoft. It is the second major release in the Windows 9x line of operating systems. It was released to manufacturing on 15 May 1998 and to retail on 25 June 1998. Windows 98 is the successor to Windows 95. Like its predecessor, it is a hybrid...
, Me
Windows Me
Windows Millennium Edition, or Windows Me , is a graphical operating system released on September 14, 2000 by Microsoft, and was the last operating system released in the Windows 9x series. Support for Windows Me ended on July 11, 2006....
) operating systems.
The virus made another comeback in 2001 when a variant of the LoveLetter Worm
ILOVEYOU
ILOVEYOU, also known as Love Letter, is a computer worm that successfully attacked tens of millions of computers in 2000 when it was sent as an attachment to a user with the text "ILOVEYOU" in the subject line. The worm arrived e-mail on and after May 4, 2000 with the simple subject of "ILOVEYOU"...
in a VBS
VBScript
VBScript is an Active Scripting language developed by Microsoft that is modeled on Visual Basic. It is designed as a “lightweight” language with a fast interpreter for use in a wide variety of Microsoft environments...
file that contained a dropper routine for the CIH virus was circulated around the internet, under the guise of a nude picture of Jennifer Lopez
Jennifer Lopez
Jennifer Lynn Lopez is an American actress, singer, record producer, dancer, television personality, and fashion designer. Lopez began her career as a dancer on the television comedy program In Living Color. Subsequently venturing into acting, she gained recognition in the 1995 action-thriller...
.
A modified version of the virus called CIH.1106 was discovered in December 2002, but it is not considered a serious threat.
Virus specifics
CIH spreads under the Portable ExecutablePortable Executable
The Portable Executable format is a file format for executables, object code and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's versatility in numerous environments of operating system software architecture...
file format under Windows 95, 98, and ME. CIH does not spread under Windows NT-based operating systems.
CIH infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files, and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned CIH another name, "Spacefiller". The size of the virus is around 1 kilobyte
Kilobyte
The kilobyte is a multiple of the unit byte for digital information. Although the prefix kilo- means 1000, the term kilobyte and symbol KB have historically been used to refer to either 1024 bytes or 1000 bytes, dependent upon context, in the fields of computer science and information...
, but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processor ring
Ring (computer security)
In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults and malicious behaviour . This approach is diametrically opposite to that of capability-based security.Computer operating systems provide different...
3 to 0 to hook system calls.
The payload, which is considered extremely dangerous, first involves the virus overwriting the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector 0. This deletes the contents of the partition table, and may cause the machine to hang.
The second payload tries to write to the Flash BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
. Due to what may be an unintended feature of this code, BIOSes that can be successfully written to by the virus have critical boot-time code replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on the Intel 430TX chipset, but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines, and has only one write-enable sequence.
For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition is FAT32
File Allocation Table
File Allocation Table is a computer file system architecture now widely used on many computer systems and most memory cards, such as those used with digital cameras. FAT file systems are commonly found on floppy disks, flash memory cards, digital cameras, and many other portable devices because of...
, and over about one gigabyte
Gigabyte
The gigabyte is a multiple of the unit byte for digital information storage. The prefix giga means 109 in the International System of Units , therefore 1 gigabyte is...
, all that will get overwritten is the MBR
Master boot record
A master boot record is a type of boot sector popularized by the IBM Personal Computer. It consists of a sequence of 512 bytes located at the first sector of a data storage device such as a hard disk...
, the partition table, the boot sector
Boot sector
A boot sector or boot block is a region of a hard disk, floppy disk, optical disc, or other data storage device that contains machine code to be loaded into random-access memory by a computer system's built-in firmware...
of the first partition and the first copy of the FAT of the first partition. The MBR and boot sector can simply be replaced with copies of the standard versions, the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy. This means a complete recovery with no loss of user data can be performed automatically by a tool like Fix CIH.
If the first partition is not FAT32 or is smaller than 1GB the bulk of user data on that partition will still be intact but without the root directory and FAT it will be difficult to find it especially if there is significant fragmentation.
If the second payload executes successfully, the computer will not start at all. A technician is required to reprogram or replace the Flash BIOS chip, as most systems that CIH can affect predate BIOS restoration features.
CIH v1.2/CIH.1103
This variant is the most common one and activates on April 26.It contains the string: CIH v1.2 TTIT.
CIH v1.3/CIH.1010A and CIH1010.B
This variant also activates on June 26.It contains the string: CIH v1.3 TTIT.
CIH v1.4/CIH.1019
This variant acts on the 26th of any month. It is still in the wild, although it is not that common. It contains the string CIH v1.4 TATUNG.See also
- List of computer viruses
- Timeline of notable computer viruses and wormsTimeline of notable computer viruses and wormsThis is a timeline of noteworthy computer viruses, worms and Trojan horses.- 1966 :* The work of John von Neumann on the "Theory of self-reproducing automata" is published...
External links
- F-Secure CIH Database
- F-Secure CIH Technical Page
- Symantec CIH Technical Page
- News article about the Jennifer Lopez e-mail
- FIX-CIH - Site by Steve Gibson on how to repair most of the damage from CIH