Virus Alert!!!

Beneficial Viruses
Chernobyl
Melissa
Explorerzip

Home >> Famous Viruses >> Chernobyl

Chernobyl ( aka CIH )

The CIH virus, also known as Chernobyl, was first discovered in June 1998 inTaiwan. And it took just one week to infect systems worldwide. According to the Taipei authorities, the CIH virus was written by Chen Ing-hau, and the name of the virus derived from his initials.

On April 26, 1999, the payload triggered for the first time, and caused many computer users to lose their data. In Korea alone, it was estimated as many as one million computers were affected, resulting in more then $250 million in damages. There were no conclusive reports on the damages of the virus on a global scale. However, it was believed to have been one of the major virus attacks known so far.
CIH was a very destructive virus then with a payload that destroyed data by attempting to erase the entire hard drive and to overwrite the system BIOS. The virus infected Windows 95 and 98 executable files and quickly infected all the files of this type it can find. When an infected file is run, the virus became memory resident. It then infected other files when they are copied or opened. Infected files were the same size as the original file because of the unique infection techniques used, which made the virus difficult to detect initially. The virus first looked for empty spaces in the file, and then it broke itself up into small fragments and hid in the file. However the virus had some bugs, and in some cases crashed computers when infected applications were run.

The virus occurred in two payloads, the first overwrote or deleted information on the hard drive by using direct disk-writes calls, bypassing standard BIOS virus protection, while overwriting the MBR and boot sectors.

The second payload had the ability to overwrite certain flash BIOS chipsets on some machines from a 486 through a Pentium II, which had flash BIOS. Some computers had a jumper on the motherboard, which acted as hardware write protection. Some machines also had a DIP switch, which allowed the flashing BIOS to be disabled. There were some newer computers that cannot be protected by the switch and therefore were vulnerable to the virus. When the payload executed it leaves the PC inoperable unless the BIOS is restored or replaced. This results in computer failures in areas such as inability to start up, making it virtually "paralyzed". Data such as statistics, which were useful for economics especially in the commercial sectors, were lost, resulting in a breakdown in service qualities in sectors that involved massive usage of computers such as the clerical services as in the case in Korea where it occurred.

By April 2000, although the virus is rather old, Symantec still believes the virus is in the wild and may cause damage to computer users who are using outdated virus definitions or who are not using anti-virus software.