505:
257:
491:
385:, but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines and has only one write-enable sequence.
404:
of the first partition and the first copy of the FAT of the first partition. The MBR and boot sectors can simply be replaced with copies of the standard versions; the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy.
332:
CIH infects
Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned
134:
The name "Spacefiller" was introduced because most viruses write their code to the end of the infected file, with infected files being detectable because their file size increases. In contrast, CIH looks for gaps in the existing program code, where it then writes its code, preventing an increase in
122:
The name "Chernobyl Virus" was coined sometime after the virus was already well known as CIH and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus creation date in 1998, to trigger exactly a year later) and the
36:
419:
If the second payload executes successfully, the computer will not start at all. Reprogramming or replacement of the Flash BIOS chip is then required, as most systems that CIH can affect predate BIOS restoration features.
375:. BIOSes that can be successfully written to by the virus have critical boot-time codes replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on the
106:
developers. Chen stated that after classmates at Tatung
University spread the virus, he apologized to the school and made an antivirus program available for public download. Weng Shi-hao (翁世豪), a student at
198:. Both of these payloads served to render the host computer inoperable, and for most ordinary users, the virus essentially destroyed the PC. Technically, however, it was possible to replace the
71:
that first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives and, in some cases, destroying the system
1051:
800:
805:
243:
A modified version of the virus called CIH.1106 was discovered in
December 2002, but it is not widespread and only affects Windows 9x-based systems.
873:
659:
847:
595:
573:
412:
If the first partition is not FAT32 or is smaller than 1 GB, the bulk of user data on that partition will still be intact, but without the
697:
337:, but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processor
546:
236:
file that contained a dropper routine for the CIH virus was circulated around the internet under the guise of a nude picture of
523:
278:
673:
742:
840:
814:
209:
Today, CIH is not as widespread as it once was, due to awareness of the threat and the fact that it only affects older
304:
388:
For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition is
286:
379:
518:
282:
1135:
1130:
1125:
1120:
1099:
878:
868:
833:
609:
321:
file format under the
Windows 9x-based operating systems, Windows 95, 98, and ME. CIH does not spread under
182:
CIH's dual payload was delivered for the first time on April 26, 1999, with most of the damage occurring in
790:
111:, co-authored with the antivirus program. Prosecutors in Taiwan could not charge Chen at the time because
978:
720:
405:
This means a complete recovery with no loss of user data can be performed automatically by a tool like
151:
91:. It was believed to have infected sixty million computers internationally, resulting in an estimated
651:
357:
344:
The payload, which is considered extremely dangerous, first involves the virus overwriting the first
102:
Chen claimed to have written the virus as a challenge against bold claims of antiviral efficiency by
165:
shipped a software update to their CD-R400 drives that was infected with the virus. In July 1998, a
161:
7 attendees were discovered by the organizers to have been infected with CIH. On
December 31, 1999,
1094:
267:
150:
shipped with the CIH virus, just one month before the virus would trigger. In July 1999, copies of
271:
626:
581:
1036:
705:
1084:
389:
988:
920:
416:
and FAT it will be difficult to find it, especially if there is significant fragmentation.
365:
170:
96:
8:
1026:
318:
904:
442:
This variant is the most common one and activates on April 26. It contains the string:
397:
162:
124:
108:
103:
603:
554:
154:
92:
84:
20:
1006:
361:
683:
598:(in Chinese). 行政執行署嘉義行政執行處. 2005-12-10. Archived from the original on 2013-10-29.
349:
338:
203:
1041:
1011:
936:
413:
237:
68:
1114:
1016:
763:
734:
510:
112:
795:
1031:
950:
496:
128:
1021:
958:
401:
353:
326:
464:
This variant activates on the 26th of any month. It contains the string
1046:
968:
963:
825:
322:
222:
218:
214:
210:
191:
147:
116:
65:
1056:
199:
166:
256:
1089:
393:
345:
334:
333:
CIH another name, "Spacefiller". The size of the virus is around 1
325:-based operating systems nor Win16-based operating systems such as
233:
229:
187:
115:
came forward with a lawsuit. Nevertheless, these events led to new
810:
1079:
1066:
983:
453:
This variant also activates on April 26. It contains the string:
382:
158:
143:
The virus first emerged in 1998. In March 1999, several thousand
698:"US Report: Gamers believe Activision's 'SiN' carries CIH virus"
998:
674:"Back Orifice CDs infected with CIH virus - Tech News on ZDNet"
490:
88:
76:
406:
228:
The virus made another comeback in 2001 when a variant of the
973:
820:
678:
376:
372:
195:
183:
72:
175:
144:
476:
This variant activates on August 2 instead of April 26.
35:
486:
135:
file size; in that way, the virus avoids detection.
574:"從駭電腦到愛旅行─昔日網路小子陳盈豪 - 親子天下雜誌8期 - 陳盈豪,網路世界,宅男,網路沉迷"
43:Antivirus intercept message on a Windows 95 system
1112:
371:The second payload tries to write to the Flash
19:For a similar signature in FAT OEM labels, see
627:"What is the Chernobyl Virus? (with pictures)"
194:with zeros and then attacked certain types of
75:. The virus was created by Chen Ing-hau (陳盈豪,
841:
817:on how to repair most of the damage from CIH
806:News article about the Jennifer Lopez e-mail
568:
566:
564:
285:. Unsourced material may be challenged and
848:
834:
721:"Is the CIH virus on the endangered list?"
34:
305:Learn how and when to remove this message
179:was infected by one of its mirror sites.
855:
580:(in Chinese). 2013-06-07. Archived from
561:
553:(in Chinese). 2006-08-25. Archived from
541:
539:
396:, all that will get overwritten is the
1113:
621:
619:
524:Timeline of computer viruses and worms
99:35,801,231.56) in commercial damages.
829:
718:
652:"Some Aptivas shipped with CIH virus"
536:
649:
356:0. This deletes the contents of the
283:adding citations to reliable sources
250:
616:
596:"打擊駭客,不再無法可施 - 安全常識 - 法務部行政執行署嘉義分署"
13:
450:CIH v1.3/CIH.1010.A and CIH1010.B
246:
14:
1147:
784:
662:from the original on 2007-01-04.
503:
489:
255:
764:"Virus:DOS/CIH | F-Secure Labs"
756:
745:from the original on 2001-01-28
682:. July 14, 1999. Archived from
360:, and may cause the machine to
727:
719:Lemos, Robert (May 25, 1999).
712:
690:
666:
643:
588:
519:Comparison of computer viruses
1:
704:. 28 Jul 1998. Archived from
529:
341:3 to 0 to hook system calls.
202:, and methods for recovering
186:. CIH filled the first 1024
7:
801:Symantec CIH Technical Page
796:F-Secure CIH Technical Page
482:
423:
400:, the partition table, the
10:
1152:
650:Weil, Nancy (1999-04-07).
352:with zeroes, beginning at
152:remote administration tool
138:
18:
1065:
997:
949:
929:
913:
897:
890:
861:
608:: CS1 maint: unfit URL (
47:
42:
33:
28:
16:Windows 9x computer virus
127:, which happened in the
119:legislation in Taiwan.
317:CIH spreads under the
791:F-Secure CIH Database
392:, and over about one
225:) operating systems.
1136:Taiwanese inventions
1131:Hacking in the 1990s
1126:Hacking in the 2000s
1121:Windows file viruses
921:Operation CyberSnare
856:Hacking in the 1990s
547:"從CIH「重裝駭客」變身「除錯超人」"
366:blue screen of death
279:improve this section
206:data emerged later.
171:first-person shooter
66:Microsoft Windows 9x
821:CIH 1.4 source code
319:Portable Executable
131:on April 26, 1986.
905:Operation Sundevil
461:CIH v1.4/CIH.1019
439:CIH v1.2/CIH.1003
125:Chernobyl disaster
109:Tamkang University
104:antivirus software
1108:
1107:
945:
944:
885:
884:
480:
479:
315:
314:
307:
155:Back Orifice 2000
85:Tatung University
51:
50:
21:FAT IHC OEM label
1143:
895:
894:
864:
863:
850:
843:
836:
827:
826:
778:
777:
775:
774:
768:www.f-secure.com
760:
754:
753:
751:
750:
731:
725:
724:
716:
710:
709:
694:
688:
687:
670:
664:
663:
647:
641:
640:
638:
637:
631:Easy Tech Junkie
623:
614:
613:
607:
599:
592:
586:
585:
578:parenting.com.tw
570:
559:
558:
543:
513:
508:
507:
506:
499:
494:
493:
467:
456:
445:
428:
427:
348:(1024KB) of the
310:
303:
299:
296:
290:
259:
251:
83:), a student at
56:, also known as
38:
26:
25:
1151:
1150:
1146:
1145:
1144:
1142:
1141:
1140:
1111:
1110:
1109:
1104:
1061:
993:
941:
925:
909:
886:
857:
854:
787:
782:
781:
772:
770:
762:
761:
757:
748:
746:
735:"Virus:DOS/CIH"
733:
732:
728:
717:
713:
696:
695:
691:
672:
671:
667:
648:
644:
635:
633:
625:
624:
617:
601:
600:
594:
593:
589:
572:
571:
562:
545:
544:
537:
532:
509:
504:
502:
495:
488:
485:
466:CIH v1.4 TATUNG
465:
454:
443:
426:
358:partition table
311:
300:
294:
291:
276:
260:
249:
247:Virus specifics
230:LoveLetter Worm
169:version of the
141:
24:
17:
12:
11:
5:
1149:
1139:
1138:
1133:
1128:
1123:
1106:
1105:
1103:
1102:
1097:
1092:
1087:
1082:
1077:
1071:
1069:
1063:
1062:
1060:
1059:
1054:
1049:
1044:
1042:Jonathan James
1039:
1034:
1029:
1024:
1019:
1014:
1009:
1003:
1001:
995:
994:
992:
991:
986:
981:
976:
971:
966:
961:
955:
953:
947:
946:
943:
942:
940:
939:
937:Moonlight Maze
933:
931:
927:
926:
924:
923:
917:
915:
911:
910:
908:
907:
901:
899:
892:
888:
887:
883:
882:
876:
871:
862:
859:
858:
853:
852:
845:
838:
830:
824:
823:
818:
808:
803:
798:
793:
786:
785:External links
783:
780:
779:
755:
726:
711:
708:on 2009-04-17.
689:
686:on 2007-03-11.
665:
642:
615:
587:
584:on 2013-06-07.
560:
557:on 2013-04-17.
534:
533:
531:
528:
527:
526:
521:
515:
514:
500:
484:
481:
478:
477:
474:
470:
469:
462:
458:
457:
451:
447:
446:
440:
436:
435:
432:
425:
422:
414:root directory
313:
312:
263:
261:
254:
248:
245:
238:Jennifer Lopez
190:of the host's
140:
137:
117:computer crime
69:computer virus
49:
48:
45:
44:
40:
39:
31:
30:
15:
9:
6:
4:
3:
2:
1148:
1137:
1134:
1132:
1129:
1127:
1124:
1122:
1119:
1118:
1116:
1101:
1098:
1096:
1093:
1091:
1088:
1086:
1083:
1081:
1078:
1076:
1073:
1072:
1070:
1068:
1064:
1058:
1055:
1053:
1050:
1048:
1045:
1043:
1040:
1038:
1037:Erik Bloodaxe
1035:
1033:
1030:
1028:
1025:
1023:
1020:
1018:
1015:
1013:
1010:
1008:
1005:
1004:
1002:
1000:
996:
990:
987:
985:
982:
980:
977:
975:
972:
970:
967:
965:
962:
960:
957:
956:
954:
952:
948:
938:
935:
934:
932:
928:
922:
919:
918:
916:
912:
906:
903:
902:
900:
896:
893:
889:
881: →
880:
877:
875:
872:
870:
867:←
866:
865:
860:
851:
846:
844:
839:
837:
832:
831:
828:
822:
819:
816:
812:
809:
807:
804:
802:
799:
797:
794:
792:
789:
788:
769:
765:
759:
744:
740:
739:F-Secure Labs
736:
730:
722:
715:
707:
703:
699:
693:
685:
681:
680:
675:
669:
661:
657:
653:
646:
632:
628:
622:
620:
611:
605:
597:
591:
583:
579:
575:
569:
567:
565:
556:
552:
551:iThome online
548:
542:
540:
535:
525:
522:
520:
517:
516:
512:
511:Taiwan portal
501:
498:
492:
487:
475:
472:
471:
463:
460:
459:
455:CIH v1.3 TTIT
452:
449:
448:
444:CIH v1.2 TTIT
441:
438:
437:
433:
430:
429:
421:
417:
415:
410:
408:
403:
399:
395:
391:
386:
384:
381:
378:
374:
369:
367:
363:
359:
355:
351:
347:
342:
340:
336:
330:
328:
324:
320:
309:
306:
298:
288:
284:
280:
274:
273:
269:
264:This section
262:
258:
253:
252:
244:
241:
239:
235:
231:
226:
224:
220:
216:
212:
207:
205:
201:
197:
193:
189:
185:
180:
178:
177:
172:
168:
164:
160:
157:given out to
156:
153:
149:
146:
136:
132:
130:
126:
120:
118:
114:
110:
105:
100:
98:
94:
90:
86:
82:
78:
74:
70:
67:
63:
59:
55:
46:
41:
37:
32:
27:
22:
1100:Michelangelo
1074:
1052:Steven Games
1047:Phiber Optik
1032:Dark Avenger
1012:The Analyzer
815:Steve Gibson
771:. Retrieved
767:
758:
747:. Retrieved
738:
729:
714:
706:the original
701:
692:
684:the original
677:
668:
655:
645:
634:. Retrieved
630:
590:
582:the original
577:
555:the original
550:
497:1990s portal
434:Description
418:
411:
387:
370:
343:
331:
316:
301:
295:October 2021
292:
277:Please help
265:
242:
227:
208:
181:
174:
142:
133:
129:Soviet Union
121:
101:
81:Chén Yíngháo
80:
61:
57:
53:
52:
1007:Acid Phreak
999:Individuals
979:Level Seven
959:CyberThrill
702:ZDNet.co.uk
402:boot sector
364:or cue the
327:Windows 3.x
95:1 billion (
62:Spacefiller
1115:Categories
969:Global kOS
964:globalHell
813:- Site by
773:2023-11-05
749:2021-12-07
636:2023-02-16
530:References
350:hard drive
329:or below.
323:Windows NT
211:Windows 9x
192:boot drive
113:no victims
1057:YTCracker
891:Incidents
473:CIH.1049
266:does not
204:hard disk
200:BIOS chip
58:Chernobyl
1027:Cucumber
874:Timeline
743:Archived
660:Archived
604:cite web
483:See also
431:Moniker
424:Variants
394:gigabyte
346:megabyte
335:kilobyte
1095:Melissa
1080:Happy99
1067:Malware
1022:Corrupt
984:Milw0rm
811:FIX-CIH
407:Fix CIH
383:chipset
287:removed
272:sources
159:DEF CON
148:Aptivas
139:History
64:, is a
1017:Condor
951:Groups
354:sector
163:Yamaha
89:Taiwan
77:pinyin
974:L0pht
879:2000s
869:1980s
679:ZDNet
390:FAT32
380:430TX
377:Intel
232:in a
173:game
1085:Hare
930:1998
914:1995
898:1990
610:link
373:BIOS
362:hang
339:ring
270:any
268:cite
196:BIOS
184:Asia
167:demo
97:US$
93:NT$
73:BIOS
1090:KAK
1075:CIH
989:MOD
656:CNN
398:MBR
281:by
234:VBS
176:SiN
145:IBM
87:in
60:or
54:CIH
29:CIH
1117::
766:.
741:.
737:.
700:.
676:.
658:.
654:.
629:.
618:^
606:}}
602:{{
576:.
563:^
549:.
538:^
468:.
409:.
368:.
240:.
223:ME
221:,
219:98
217:,
215:95
188:KB
79::
849:e
842:t
835:v
776:.
752:.
723:.
639:.
612:)
308:)
302:(
297:)
293:(
289:.
275:.
213:(
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.