Search Site Map Home Feedback OIT Services Admin Apps Data Warehouse Network Project NEThics Research Svcs Teach Tech Telecomm Training Viruses Web Services Browse FAQS Admin Sys Calendaring Comm Deans Docs E-mail Linux LPCR Macintosh PC StarOffice Umail Unix Virus WAM/GLUE WebCT

Alert: CIH virus

Last reviewed on Tuesday, 11-Jul-2000 15:54:00 EDT

W95.CIH / W95/CIH / Chernobyl

This virus, which infects Windows systems, hides itself in files on your machine and activates on April 26.  On that date, it will attempt to overwrite your hard drive with random data, effectively wiping out your hard drive.  It will also attempt to corrupt the BIOS of your computer, and if successful will render the computer unusable until the BIOS chip can be replaced.  This virus infected and destroyed several computers on campus in April 1999 and was the inspiration for the university's Virus Notification Program.  If you have not updated your anti-virus software during the last year, please do so now and scan your computer for this virus.
 

Technical Details (from Symantec)
 

CIH is a virus that infects 32-bit Windows 95/98/NT executable files but only                      capable to function under Windows 95/98. When an infected program on a                      Windows 95/98 machine is run, the virus will become resident in computer's                      memory. This means that an infected system must be rebooted from a clean                      system disk before scanning with NAV, or any anti-virus product. If this is not                      done, the virus will infect every file that the anti-virus product scans.                      Symantec AntiVirus Research Center has also provided a small utility called                      KILL_CIH to remove the virus from memory to avoid rebooting from a clean                      system disk. For more information on KILL_CIH utility, refer to the following                      URL.                       http://www.sarc.com/avcenter/kill_cih.html                      Although NT system files can be infected, the virus cannot become resident                      or infect files on a Windows NT system. The virus also will not function under                      DOS, Windows 3.1 or on Macintosh computers. Once the virus is resident,                      CIH virus infects other files when they are accessed (e.g. when they are run or                      copied).                       Files infected by CIH may have the same size as the original files because of                      CIH's unique mode of infection. The virus will search for empty, unused                      spaces in the file. Next it will break itself up into smaller pieces and inserts                      them in these unused spaces. When NAV repairs a file infected by CIH, it                      look for these small viral pieces and remove them from the file.                       There are 3 known variants as of April 1999 that are all very similar. CIH                      Version 1.2 and Version 1.3 has a payload that will trigger on April 26th                      commemorating Chernobyl (the anniversary of the April 26, 1986 Soviet                      nuclear disaster). CIH Version 1.4 has a payload that will trigger on the 26th                      of any month. The payloads for all the versions of CIH are the same.                       The first of two payloads has been designed to overwrite the hard disk with                      random data starting at the beginning of the disk (sector 0) using an infinite                      loop. The overwriting of the sectors will not stop until the system has crashed.                      As a result, your computer will not boot from the hard disk or floppy disk. Also                      the data that has been overwritten on your hard disk will be very difficult or                      impossible to recover. You will need to restore the data from backups.                       The second payload will try to cause permanent damage to the computer.                      This payload attacks the Flash BIOS (a part of your computer that initializes                      and manages the relationships and data flow between the system devices,                      including the hard drive, serial and parallel ports and the keyboard) and will try                      to corrupt the data stored in the Flash BIOS. As a result, your computer may                      not display anything on the screen when you startup the system. Fixing this                      will require hardware repair on the computer.

Detection and Removal of the Virus

If the virus is present on your system, it is most likely loaded into active memory, in which case scanning the computer using a standard anti-virus program could cause the virus to spread.  We recommend that you download Symantec's free Kill_CIH tool, which can remove the virus from the active memory and allow you to safely remove the virus using a regular anti-virus program.

Any anti-virus software that has been updated or installed since April 1999 should be able to detect and clean the virus once the virus has been removed from active memory.  If you do not have any anti-virus software and you have a WAM account, you can download the McAfee anti-virus software from the Virus Notification Program.  After installing the McAfee software, we recommend that you update the software before scanning your system so that the anti-virus software can detect the latest viruses as well as W95.CIH.

NOTE:  If you discover that your computer is infected with the CIH virus but you are unable to clean the computer before April 26, simply leave the computer turned off for that day and restart the computer on April 27.
 

Further Details

For further details, visit:

Symantec:  W95.CIH
Network Associates:  W95/CIH.1003
Trend Micro:  PE_CIH