CIH: One Year Later
Background
The virus was originally discovered back in June 1998 in Taiwan and a global warning followed soon after. The author, then 24 year-old computer student Chen Ing-hau, devised one of the most deadly and costly viruses to strike computer technology.
The virus was so prolific that it infected some 240,000 PC's in South Korea, 600,000 globally, including 1,000 private companies, 200 government and public organizations, and 300 universities. It was estimated that damage inflicted by the virus topped $250 million. Students at Boston College apparently paid no mind to warnings issued by their computer science department. Outbreaks there were so severe that the school's computer help desk urged students not to turn their computers back on until April 27th in hopes of dodging the payload of Chernobyl.
The spread of the virus throughout Asia was exacerbated by the practice of buying and selling pirated software. This software often has more bugs than a spring hatch and the use of anti-virus software is less prevalent. That doesn't mean that big business in the US was totally removed from the effects of Chernobyl. Datafellows described several incidents that US and European firms were involved with:
- IBM ships a batch of new Aptiva PCs with the CIH virus pre-installed during March 1999, one month before the virus detonates its payload.
- Origin Systems website contained an infected file that related to its popular Wing Commander game.
- As many as three European gaming magazines shipped demo CDs that were infected. One company went as far as including a note inside telling users to disinfect their machines after using the CD. A widely distributed version of Activision's game SiN was also infected. It should be noted that the infection did not originate at Activision.
- Yamaha Shipped an infected version of firmware update software for their CD-R400 drives.
The virus has many different aliases:
- Chernobyl
- PE_CIH
- Win95.CIH
- W95/CIH.1003
- CIH.Spacefiller
Chernobyl is a virus that infects 32-bit Microsoft Windows executables. It can proliferate in a Windows 95/98 and NT environment but can only function under Windows 95/98. Windows NT and 2000 users are not at risk of being exposed to CIH's payload.
The virus is memory resident so when an infected program is run the virus will become resident in the computer's memory. If a user tries to use an anti-virus program to scan for the virus at this time the virus will infect every file that it scans. An infected system must be booted from a clean system disk before being scanned.
Files that are infected do not necessarily change in size. CIH has a unique method of infection where it searches for empty or unused spaces in a file and then breaks itself into smaller pieces to fit into these spaces.
The payload is designed to activate on April 26th commemorating the anniversary of the Chernobyl nuclear disaster. CIH packs a one-two punch. The first blow overwrites the hard disk with random data starting at the beginning of the disk and continuing until the system has crashed. The second pounding tries to cause permanent damage to your system by attacking the BIOS. If this takes place you computer will become useless, showing a blank screen upon startup. This can be repaired with a hardware fix of replacing or repairing the BIOS.
A sure way to protect your system and all of your data is to run anti-virus software. These protection programs are a prophylactic designed to handle viruses like Chernobyl and its variants. If you are not currently running anti-virus software but would like to, please download a free anti-virus program from the list below and keep your computer protected.