CIH, also known as Chernobyl or Spacefiller, is a computer virus written by Chen Ing Hau of Taiwan. It is considered to be one of the most harmful widely circulated viruses, destroying all information on users' systems and in some cases overwriting the system BIOS. In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents made by crackers (for a complete definition: see below). ... Chen Ing Hau (陳盈豪 pinyin: Chen Yinghao, Born 26 April) is the author of the infamous CIH virus (also known as Chernobyl) and also one of the more interesting examples of legal battles involving virus writers. ... BIOS, in computing, stands for basic input/output system. ...

History

In September 1998, Yamaha shipped a firmware update to their CD-R400 Drives that were infected with the virus. In October 1998, a demo version of the Activision game SiN that was propagated by users got infected due to contact with an infected file on a certain user's machine. That company's infection came from a group of Aptiva PC's shipped by IBM during March 1999 with the CIH virus pre-installed. The computers were shipped around a month before the CIH payload activated for the first time in the public eye on April 26, 1999. This was a catastrophic event, and an untold number of computers worldwide were affected with the first 1024 KB of their boot drives being over-written with zeroes and even having their BIOS damaged, preventing the computer from successfully completing the POST process. By April 26, 2000, much of the damage was happening in Asia, but the virus was not as widespread there. On March 2001, the Anjulie Worm was discovered. It drops CIH v1.2 into the system as part of its payload. Today, CIH is not as widespread as it once was due to awareness of the threat and the fact it only affects older Windows 9x operating systems. September is the ninth month of the year in the Gregorian Calendar and one of four Gregorian months with 30 days. ... 1998 is a common year starting on Thursday of the Gregorian calendar, and was designated the International Year of the Ocean. ... The Yamaha Corporation (ヤマハ株式会社) (TYO: 7951) is a Japanese company with a large number of product areas. ... In computing, firmware is software that is embedded in a hardware device. ... October is the tenth month of the year in the Gregorian Calendar and one of seven Gregorian months with the length of 31 days. ... 1998 is a common year starting on Thursday of the Gregorian calendar, and was designated the International Year of the Ocean. ... Activision, Inc. ... The IBM PS/1 personal computer was IBMs return to the home market in 1990, five years after the IBM PCjr. ... The tower of a personal computer. ... International Business Machines Corporation (IBM, or colloquially, Big Blue) NYSE: IBM (incorporated June 15, 1911, in operation since 1888) is headquartered in Armonk, NY, USA. The company manufactures and sells computer hardware, software, and services. ... March is the third month of the year in the Gregorian Calendar and one of seven Gregorian months with the length of 31 days. ... 1999 is a common year starting on Friday Anno Domini (or the Current Era), and was designated the International Year of Older Persons by the United Nations. ... April 26 is the 116th day of the year in the Gregorian Calendar (117th in leap years). ... 1999 is a common year starting on Friday Anno Domini (or the Current Era), and was designated the International Year of Older Persons by the United Nations. ... Look up post in Wiktionary, the free dictionary. ... April 26 is the 116th day of the year in the Gregorian Calendar (117th in leap years). ... This article is about the year 2000. ... World map showing location of Asia Asia is the central and eastern part of Eurasia, defined by subtracting Europe from Eurasia. ... 2001 : January - February - March - April - May - June - July - August - September - October - November - December Events: March 3 - A U.S. Air Force Materials Command C-23 Sherpa transport crashes during stormy weather in the U.S. state of Georgia, killing 21. ...

The virus made another comeback in 2001 when a variant of the Loveletter Worm in a VBS file containing a dropper routine for the CIH virus was circulated around the internet, disguised as a nude picture of Jennifer Lopez. 2001: A Space Odyssey. ... The VBS/Loveletter computer worm, also known as Iloveyou or Lovebug, is a computer worm written in VBScript. ... VBScript (short form of Visual Basic Script Edition) is an Active Scripting engine bundled with Microsoft Windows. ... Jennifer Lopez in a sexy Leopard pose. ...

A modified version of the virus called CIH.1106 was discovered in December 2002, but it is not a serious threat. December is the twelfth and last month of the year in the Gregorian Calendar and one of seven Gregorian months with the length of 31 days. ... 2002(MMII) is a common year starting on Tuesday of the Gregorian calendar. ...

CIH is considered a threat only if it infects programs used by mass-mailing computer worms, such as Klez, or if the Anjulie Worm comes into play. However, CIH only works on Windows 95, 98, and Windows Me, greatly limiting its effects. A computer worm is a self-replicating computer program, similar to a computer virus. ... Klez is a computer worm that propagates via E-mail. ... Windows 95 (codename Chicago) is a hybrid 16-bit/32-bit graphical operating system released on August 24, 1995 by the Microsoft Corporation. ... Windows 98 (codename Memphis) is a graphical operating system released on June 25, 1998 by Microsoft. ... Windows Millennium Edition (originally codenamed Millennium and Georgia), also known as Windows Me, is a 32-bit graphical operating system released on September 14, 2000 by Microsoft. ...

Virus specifics

CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME. CIH does not spread under Windows NT, Windows 2000, or Windows XP. The Portable Executable (PE) format is an executable file format used in 32-bit and 64-bit versions of Windows operating systems. ... Windows NT is a family of operating systems produced by Microsoft, and was succeeded by Windows 2000 (still based on Windows NT). ... Windows 2000 (also referred to as Win2K, W2K or Windows NT 5. ... As of 2005, Windows XP is the current client version of the Microsoft Windows operating system. ...

Due to the fact that CIH infects a Portable Executable file, it fills in the gaps of empty space commonly seen in PE files. Hence, that earned CIH another name, "Spacefiller". The size of the virus is 1 kilobyte, but files do not grow at all. It uses methods of jumping from processor ring 3 to 0 to hook system calls. A kilobyte (derived from the SI prefix kilo-) is a unit of information or computer storage equal to either 1024 or 1000 bytes. ...

The payload, which is considered extremely dangerous, first involves the virus overwriting the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector 0. This often deletes the contents of the partition table, and may cause the machine to hang. Typical hard drives of the mid-1990s. ...

The second payload tries to overwrite the Flash BIOS with junk also. This routine will work on machines based on the Intel 430TX chipset, provided that the protection jumper is turned off. The aforementioned chipset allows writing to the Flash BIOS by a computer program. Intel Corporation (NASDAQ: INTC) (founded 1968) is a U.S.-based multinational corporation that is best known for designing and manufacturing microprocessors and specialized integrated circuits. ...

For the first payload, the hard disk can be sent to a company that can recover the data if it is extremely important, or in some cases the drives contents can be recovered using Fix CIH, a freeware program by Steve Gibson. Otherwise, one should run FDISK and repartition and reformat the hard drive. However, if the second payload goes off without a hitch, the computer will not start at all. A technician is required to reprogram or replace the Flash BIOS chip. Freeware (also called gratis software or free as in beer software) is computer software which is made available free of charge and is not free to be used, copied, studied, modified and redistributed. ... Steve Gibson (b. ... Many partition table manipulators are known as fdisk. ...

CIH v1.2/CIH.1103

This variant is the most common one and activates on April 26. It contains the string: CIH v1.2 TTIT. April 26 is the 116th day of the year in the Gregorian Calendar (117th in leap years). ...

CIH v1.3/CIH.1010A and CIH1010.B

This variant also activates on June 26. It contains the string: CIH v1.3 TTIT. June 26 is the 177th day of the year (178th in leap years) in the Gregorian Calendar, with 188 days remaining. ...

CIH v1.4/CIH.1019

This variant acts on the 26th of any month. It is still in the wild, although it isn't that common. It contains the string: CIH v1.4 TATUNG.

CIH.1049

This variant activates on August 2 instead of April 26. August 2 is the 214th day of the year in the Gregorian Calendar (215th in leap years), with 151 days remaining. ... April 26 is the 116th day of the year in the Gregorian Calendar (117th in leap years). ...

CIH.1106

This is a minor, fairly recent variation that appeared on December 2002. 2002 : January _ February _ March _ April _ May _ June _ July _ August _ September _ October _ November _ December _ → A timeline of events in the news for December, 2002. ...

See also

• List of computer viruses
• Timeline of notable computer viruses and worms

To aid the fight against viruses and other malware many security advisory organizations and developers of anti-virus software compile and publish lists of viruses. ... This is a list of noteworthy computer viruses and worms. ...

External links

• F-Secure CIH Database
• F-Secure CIH Technical Page
• Symantec CIH Technical Page
• News article about the Jennifer Lopez e-mail