F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : CIH





NAME:CIH
TYPE:Resident EXE-files
ALIAS:PE_CIH, CIHV, SPACEFILLER, VIN32, CHERNOBYL, TSHERNOBYL, TSERNOBYL
ORIGIN:Taiwan

UPDATE ON CIH.1106

In December 2002, over four years after the original CIH virus was found, a modified variant known as CIH.1106 was found. However, this minor version is not widespread.

The only way CIH.1106 might spread in any significant numbers happens when it infects programs that are sent via e-mail by other, more modern mass mailer viruses - such as Klez. In such scenario a user would receive an infected e-mail where the infected executable attachment would contain two viruses.

However, CIH.1106 (like other CIH versions) works only under Windows 95 and 98.

TECHNICAL DESCRIPTION

For more information on the CIH virus, see the Global CIH Virus Information Center at http://www.F-Secure.com/cih/

CIH virus infects Windows 95 and 98 EXE files. After an infected EXE is executed, the virus will stay in memory and will infect other programs as they are accessed.

The CIH virus was first located in Taiwan in early June 1998. After that, it has been confirmed to be in the wild worldwide. It has been among the ten most common viruses for several months. CIH has been spreading very quickly as it has been distributed through pirated software.

It seems that at least four underground pirate software groups got infected with the CIH virus during summer 1998. They inadvertently spread the virus globally in new pirated softwares they released through their own channels. These releases include some new games which will spread world-wide very quickly. There's also a persistent rumor about a 'PWA-cracked copy' of Windows 98 which would be infected by the CIH virus but F-Secure has been unable to confirm this.

Later on, CIH was available by accident from several commercial sources, such as: 

        Origin Systems website where a download
        related to the popular Wing Commander game was infected


        At least three European PC gaming magazines shipped magazines
        where the cover CD-ROM was infected - one of them even included
        a note inside advicing users to disinfect their machines after
        using the CD-ROM


        Yamaha shipped an infected version of a firmware update software
        for their CD-R400 drives


        A widely spread demo version of the Activision game SiN was
        infected as well - this infection did not originate from
        the vendor


        IBM shipped a batch of new Aptiva PCs with the CIH virus
        pre-installed during March 1999, just a month before the
        virus activates destructively

What makes the CIH case really serious is that the virus activates destructively. When it happens the virus overwrites most of the data on the computers hard drive. This can be recovered with recent backups.

However, the virus has another, unique activation routine: It will try to overwrite the Flash BIOS chip of the machine. If this succeeds, the machine will be unable to boot at all unless the chip is reprogammed. The Flash routine will work on many types of Pentium machines - for example, on machines based on the Intel 430TX chipset. On most machines, the Flash BIOS can be protected with a jumper. By default, protection is usually off.

The CIH virus infects Windows executable files (EXE files). It does not infect Word or Excel documents. CIH works under both Windows 95 and Windows 98, but it does not work under Windows NT.

CIH uses a peculiar way of infecting executables. As a result, the size of the infected files does not grow at all. The actual size of the virus code is around 1 kB. The virus also employees advanced tricks in jumping from processor ring 3 to ring 0 in order to hook file system calls.

There are four known closely-related variants:

CIH v1.2 (CIH.1003): Activates on April 26th. This is the most common variant. It contains this text: 

        CIH v1.2 TTIT

CIH v1.3 (CIH.1010.A and CIH.1010.B): Activates on June 26th. Contains this text: 

        CIH v1.3 TTIT

CIH v1.4 (CIH.1019): Activates on 26th of every month. It is in the wild, but not particularily common. It contains this text: 

        CIH v1.4 TATUNG

CIH can be successfully disinfected from memory and from files using a fresh version of FSAV and the latest updates for it.

http://www.europe.f-secure.com/download-purchase/ http://www.europe.f-secure.com/download-purchase/updates.shtml

You can also use a free version of F-Prot for DOS to disinfect CIH. In this case you will have to perform disinfection from pure DOS.

ftp://ftp.europe.F-Secure.com/anti-virus/free/ ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/

Note on disinfection: If you're using F-Secure Anti-Virus for Windows 95 v4.02, you need to exit Windows to disinfect CIH. Choose Start/Restart in MS-DOS mode, then execute FSAV for DOS from the FSAV CD-ROM and disinfect your hard drive with that.

[Mikko Hypponen, Alexey Podrezov, F-Secure Corp.; 1998-2002]