Chernobyl ( aka CIH )
The CIH virus, also known as Chernobyl, was first discovered in
June 1998 inTaiwan. And it took just one week to infect systems
worldwide. According to the Taipei authorities, the CIH virus was
written by Chen Ing-hau, and the name of the virus derived from
On April 26, 1999, the payload triggered for the first time, and
caused many computer users to lose their data. In Korea alone, it
was estimated as many as one million computers were affected, resulting
in more then $250 million in damages. There were no conclusive reports
on the damages of the virus on a global scale. However, it was believed
to have been one of the major virus attacks known so far.
CIH was a very destructive virus then with a payload that destroyed
data by attempting to erase the entire hard drive and to overwrite
the system BIOS. The virus infected Windows 95 and 98 executable
files and quickly infected all the files of this type it can find.
When an infected file is run, the virus became memory resident.
It then infected other files when they are copied or opened. Infected
files were the same size as the original file because of the unique
infection techniques used, which made the virus difficult to detect
initially. The virus first looked for empty spaces in the file,
and then it broke itself up into small fragments and hid in the
file. However the virus had some bugs, and in some cases crashed
computers when infected applications were run.
The virus occurred in two payloads, the first overwrote or deleted
information on the hard drive by using direct disk-writes calls,
bypassing standard BIOS virus protection, while overwriting the
MBR and boot sectors.
The second payload had the ability to overwrite certain flash BIOS
chipsets on some machines from a 486 through a Pentium II, which
had flash BIOS. Some computers had a jumper on the motherboard,
which acted as hardware write protection. Some machines also had
a DIP switch, which allowed the flashing BIOS to be disabled. There
were some newer computers that cannot be protected by the switch
and therefore were vulnerable to the virus. When the payload executed
it leaves the PC inoperable unless the BIOS is restored or replaced.
This results in computer failures in areas such as inability to
start up, making it virtually "paralyzed". Data such as
statistics, which were useful for economics especially in the commercial
sectors, were lost, resulting in a breakdown in service qualities
in sectors that involved massive usage of computers such as the
clerical services as in the case in Korea where it occurred.
By April 2000, although the virus is rather old, Symantec still
believes the virus is in the wild and may cause damage to computer
users who are using outdated virus definitions or who are not using