The CIH virus and its damage

Extent of Damage of the CIH virus

The CIH virus (AKA Chernobyl)

The CIH virus is also known as the Chernobyl virus. The name Chernobyl was given from the fact that it activates its payload on the 26th of April, the anniversary of Chernobyl incident. I think there is no computer user in the world who hasn't heard of this virus as it caused great havoc throughout the world this year at that time.

I am pointing out some facts of this virus and giving it in a more or less easy to understand manner.

Characteristics:

The virus Infects Windows 95/ Windows 98/ Windows NT 32 bit EXE files. These files are known as PE (Portable EXE). Therefore you can be sure that no normal DOS based EXE files are infected.
Works only in the Win95/ Win98 environment (does not become active in DOS mode). Therefore if someone reboots the system in MSDOS mode there is no possibility of any damage and the virus will not spread. In Windows NT environment, an error is produced if infected EXE is run. Virus cannot operate in Win NT due to the protection it provides.
This virus is also known as Win95.Spacefiller for its spacefilling characteristics. When the CIH virus infects an EXE file it looks for the unused space inside it and fits itself in. If a large enough contiguous space is not found, it breaks itself up into some chunks. It can manage to run again by combining these chunks at the time of execution. For this characteristics the EXE file size is not changed.
The virus code is approximately 1 KB long.
When executed, it becomes memory resident and infects all EXE files that are accessed afterwards (this means even if files are copied).

Variants:

The virus has three variants – version 1.2, 1.3 and 1.4. The versions 1.2 and 1.4 are the most widely spread variants. The payload of version 1.4 is more dangerous. And it can attack on the 26th of every month.

Payloads (damage)

Damages the Flash BIOS by reprogramming a part of it. The system therefore becomes inoperable. When a computer with this damaged BIOS is switched on it shows a small text or the screen remains blank.

Overwrites the first portion of the first hard disk, therefore renders it inaccessible. The MBR (master boot record) and the boot sector and FAT of the first partition are severely damaged by being overwritten with random data. Work shows that the current variants only overwrite the first 2048 sectors (1 MB).

The versions 1.2 and 1.3 attack on the 26^th of April every year. The version 1.4 is said to attack on the 26^th of every month.

damage.gif (21410 bytes)

The virus mainly effects the hard disk by erasing a vital portion of it that makes access to the disk inaccessible even if booted from a floppy. The first portion of a hard disk basically contains the MBR (master boot record) which contains the partition table. This is the place where there is a small program that searches the hard disk for a bootable partition (which contains a bootstrap routine that can load the operating system). The partition table stores all information about the size of the disk and its logical partitions (like you see different drives which are not physically separable i.e. C, D, E etc). The virus also damages the FAT of the first partition (mainly the drive C). FAT stands for (file allocation table) which stores a map of how the storage of the disk is utilized by different files. By damaging these vital portions the virus makes the operating system completely unaware of what's inside the hard disk. Incase of FAT16 both copies of FAT are completely wiped out.

If any of you are infected with virus strains that you think are similar to CIH please forward infected files to the following address so that I can see them. This will enable me to see for new CIH versions and check for clones. Thanks.

[ Home ] [ Introduction to MRECOVER and features of version 1.85 ] [ Data storage in hard disks ] [ The CIH virus and its damage ] [ Using MRECOVER ]