|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
|May the source be with you, but remember the KISS principle ;-)|
The CIH virus goes by several names. These include Win95/CIH, PE_CIH, CIHV, W32. SPACEFILLER CIH, and probably a few others. CIH virus infects Windows 95 and 98 EXE files. After an infected EXE is executed, the virus will stay in memory and will infect other programs as they are accessed. The CIH virus was first located in Taiwan in early June 1998. After that, it has been confirmed to be in the wild in at least France, Germany, The Netherlands, Sweden, China, Israel, Chile and Australia. CIH has been spreading very quickly as it has been distributed through pirated software. It seems that at least four underground pirate software groups got infected with the CIH virus, and they inadvertently spread the virus globally in new pirated software they released through their own channels. These releases include some new games which will spread world-wide very quickly. There's also a persistent rumor about a 'PWA-cracked copy' of Windows 98 which would be infected by the CIH virus but Data Fellows has been unable to confirm this.
What makes the CIH case really serious is that the virus activates destructively. When it happens the virus overwrites most of the data on the computers hard drive. This can be recovered with recent backups. However, the virus has another, unique activation routine: It will try to overwrite the Flash BIOS chip of the machine. If this succeeds, the machine will be unable to boot at all unless the chip is reprogrammed. The Flash routine will work on many types of Pentium machines - for example, on machines based on the Intel 430TX chipset. On most machines, the Flash BIOS can be protected with a jumper. By default, protection is usually off.
The CIH virus infects Windows executable files (EXE files). It does not infect Word or Excel documents. CIH works under both Windows 95 and Windows 98, but it does not work under Windows NT. CIH uses a peculiar way of infecting executables. As a result, the size of the infected files does not grow at all. The actual size of the virus code is around 1 kB. The virus also employs advanced tricks in jumping from processor ring 3 to ring 0 in order to hook file system calls.
The CIH virus attempts to ERASE the writable FLASH BIOS of infected PC's, and also overwrites the first 2,048 sectors (1,048,576 bytes) of all of the system's available non-removable writable disk drives! While this behavior places the CIH virus among the nastiest of all viruses, the damage is more recoverable than at first appears:
Flash BIOS Recovery:
We have been told by knowledgeable experts that most PC motherboards do not provide any means for recovering from the loss of their Flash BIOS EEROM. (Those that do are not vulnerable to CIH's erasure in the first place.) You should contact your PC motherboard manufacturer to determine whether your system can have its EEROM repaired. (Many thanks to Nick FitzGerald for sharing his accurate information.)
(Please note that Gibson Research Corporation has no special expertise in Flash BIOS recovery so we can not help you there. If your system's Flash BIOS was erased you must either move your hard drive to a system with a working motherboard or repair your BIOS before proceeding to consider the recovery of your system's hard drive.)
Hard Drive Recovery:
The CIH virus erases the first 2,048 sectors (1 megabyte) of each of the system's non-removable and writable disk drives. While this is certainly troublesome, the damage is very often 100% reversible and recoverable! (This is especially true if the drive contained multiple partitions, since only the first partition was truly damaged. See below.)
How is it possible to recover the loss of the first 1 million bytes of a hard disk drive? The "front" of a DOS/Windows hard disk drive contains the following crucial information:The Partition Table -- Also know as the "Master Boot Record" or MBR.
This single sector describes the major subdivisions (partitions) of the drive. In typical, simple, systems it specifies a single large partition that encompasses the entire drive.
The First Partition's Boot Sector(s) -- Also known as the "Boot Sector".
One or six sectors which specify the layout of the balance of the partition, including the exact location of the following items:
The File Allocation Table(s) -- Also known as the "FAT".
A permanent, contiguous, block of sectors used by the operating system to manage the sub-allocation of space within the partition. This information is so critical and non-recoverable that two complete, identical, FAT tables are maintained.
The Root Directory -- Also known as the "Root".
A block (or chain) of sectors which contains the information used to manage the root directory files and sub-directories.
Recovering from the Loss of the First Megabyte:
Of all the data outlined above, only the FAT and Root directory contain vital information which cannot be "reverse engineered" from the existing system. Since the FDISK and FORMAT programs created the Partition Table and Boot Sectors respectively out of nothing, it stands to reason that they could be similarly re-created from nothing.
The restoration of the drive's Partition Table (which is the first thing Steve's new FREEWARE program does) will immediately restore the drive's partitions to existence. Although the CIH virus does extensive damage to the first partition, subsequent partitions are left completely intact!
Recovering the Drive's First Partition:
After the drive's partition table has been restored and any partitions beyond the first have been brought back into existence, we are still left with the extensive damage done to the first partition.
With the advent of 32-bit File Allocation Tables (FAT32) the FAT tables became quite large ... and this is the second part of the secret behind completely recovering from the loss of the first megabyte of the hard drive.
For example, a one gigabyte drive (or partition) formatted with a 32-bit FAT will consist of approximately 262,144 clusters of 4,096 (4k) bytes each. Since each FAT table entry requires 32-bits, or four bytes, a single copy of the FAT for a one gigabyte drive will require exactly one megabyte of sectors!
So, since just the first copy of a 32-bit FAT for a one gigabyte drive requires one megabyte of storage, and since the CIH virus only erases the first one megabyte of the drive, the large size of this first FAT table pushes the entire second copy of the FAT and the root directory fully out of harm's way!
This means that by first reconstructing the Partition Table and the Boot Sectors and then copying the second (preserved) copy of the FAT down into the space where the first copy belongs ... the first partition of the drive (if it's at least one gigabyte and FAT32 format) can be completely reconstructed and recovered!
‘I Didn’t Mean It’
CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows computer virus which first emerged in 1998. It is one of the most damaging viruses, overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS. The virus was created by Chen Ing-hau (陳盈豪, pinyin: Chén Yíngháo) who was a student at Tatung University in Taiwan. 60 million computers were believed to be infected by the virus internationally, resulting in an estimated $1 billion US dollars in commercial damages.
Chen claimed to have written the virus as a challenge against bold claims of antiviral efficiency by antivirus software developers. Chen stated that after the virus was spread across Tatung University by classmates, he apologized to the school and made an antivirus program available for public download; the antivirus program was co-authored with Weng Shi-hao (翁世豪), a student at Tamkang University. Prosecutors in Taiwan could not charge Chen at the time because no victims came forward with a lawsuit. These events led to new computer crime legislation in Taiwan.
The name "Chernobyl Virus" was coined some time after the virus was already well known as CIH, and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus creation date in 1998, to trigger exactly a year later) and the Chernobyl accident, which happened in the Ukrainian SSR on April 26, 1986.
In September 1998, Yamaha shipped a firmware update to their CD-R400 drives that was infected with the virus. In October 1998, a demo version of the Activision game SiN was infected by one of its mirror sites. In March 1999, several thousand IBM Aptivas shipped with the CIH virus, just one month before the virus would trigger.
CIH's dual payload was delivered for the first time on April 26, 1999, with most of the damage occurring in Asia. CIH filled the first 1024 KB of the host's boot drive with zeros and then attacked certain types of BIOS. Both of these payloads served to render the host computer inoperable, and for laymen the virus essentially destroyed the PC. Technically, however, it was possible to replace the BIOS chip, and methods for recovering hard disk data emerged later.
Today, CIH is not as widespread as it once was, due to awareness of the threat and the fact it only affects older Windows 9x (95, 98, Me) operating systems.
The virus made another comeback in 2001 when a variant of the LoveLetter Worm in a VBS file that contained a dropper routine for the CIH virus was circulated around the internet, under the guise of a nude picture of Jennifer Lopez.
A modified version of the virus called CIH.1106 was discovered in December 2002, but it is not considered a serious threat.
The creator Chen Ing-hau later worked as a developer for Gigabyte Communications, a subsidiary of Gigabyte Technology.
CIH spreads under the Portable Executable file format under Windows 95, 98, and ME. CIH does not spread under Windows NT-based operating systems. CIH infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files, and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned CIH another name, "Spacefiller". The size of the virus is around 1 kilobyte, but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processor ring 3 to 0 to hook system calls.
The payload, which is considered extremely dangerous, first involves the virus overwriting the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector 0. This deletes the contents of the partition table, and may cause the machine to hang.
The second payload tries to write to the Flash BIOS. Due to what may be an unintended feature of this code, BIOSes that can be successfully written to by the virus have critical boot-time code replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on the Intel 430TX chipset, but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines, and has only one write-enable sequence.
For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition is FAT32, and over about one gigabyte, all that will get overwritten is the MBR, the partition table, the boot sector of the first partition and the first copy of the FAT of the first partition. The MBR and boot sector can simply be replaced with copies of the standard versions, the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy. This means a complete recovery with no loss of user data can be performed automatically by a tool like Fix CIH.
If the first partition is not FAT32 or is smaller than 1GB the bulk of user data on that partition will still be intact but without the root directory and FAT it will be difficult to find it especially if there is significant fragmentation.
If the second payload executes successfully, the computer will not start at all. A technician is required to reprogram or replace the Flash BIOS chip, as most systems that CIH can affect predate BIOS restoration features.
This variant is the most common one and activates on April 26th.
It contains the string: CIH v1.2 TTIT
CIH v1.3/CIH.1010A and CIH1010.B
This variant also activates on April 26. It contains the string: CIH v1.3 TTIT
This variant acts on the 26th of any month. It is still in the wild, although it is not that common. It contains the string CIH v1.4 TATUNG.
This variant activates on August 2 instead of April 26.
Top Visited Switchboard Latest Past week Past month
Old News ;-)
CIH explodes, destroys my PC.Suprisingly, I wasn't that pissed when I got home for lunch today and got the BSOD from my video crashing. I knew exactly what it was. CIH!!!!
I proceeded to reboot........
Please insert system diskette. Hit enter to rebootNothing. Everything is gone. Inserted floppy with DOS on it......
Invalid system disketteI'm still not pissed. So I insert my Windows98 CD, and begin re-installing.
Why am I not pissed? Because Linux is on another machine. The only thing I used Windows for was Cakewalk, which I had backed up.
I have to blame something/someone. Here's my list.
#1. Norton Antivirus:
Norton has detected CIH twice. I removed it twice. Last night even. Didn't matter, it still wacked me. Norton itself got infected with CIH on the floppy last night.
#2. Me. Ok, maybe I really didn't give a **** about losing anything from a virus on my Windows machine. I also forgot to power the machine off last night, "just in case". But oh well.
#3. Windows9x. How can an OS be so poorly designed that this is even a plausible circumstance? Ever wonder why Linux doesn't have Anti-virus programs? User space. Simple concept, yet brilliant.
- Office98 - who cares? But I don't have the CD anymore, so oh well.
- Frontpage98 - Didn't really use it anyway, but it's nice to have.
- 2,000 instrument samples. Guess what I'll be doing this weekend.
I'm currently debating whether or not to throw in the towel on Windows altogether. The only reason I use it now is for a couple of games and Cakewalk. I found a similar sound editing program for Linux, but it's not as polished as Cakewalk. I also haven't played a PC game in about 5 months. (Playstation through my TV tuner card)
Comments welcome....Like HardwareCentral?
Interested in Linux?
Check out HardwareCentral's sister site:
Features Ultimate BBS, caters to newbies!
Chernobyl Sob Story
This is topic Chernobyl Sob Story in forum The Flameboard at Flare Sci-Fi Forums.
To visit this topic, use this URL:
Posted by The_Tom (Member # 38) on April 26, 1999 09:02 PM:
None of the news sources are making any sort of deal about Chernobyl, the latest version of the CIH virus that struck today. In the words of ZDNet:quote:
'Chernobyl' bug generates little fallout.
The CIH virus celebrates its first anniversary by striking some computers, but fails to live up to media hype.
Well screw them.
I woke up this morning to a scene of horror on campus.
First of all, lets just say I live in on an island when it comes to access to breaking news. I, of all people, had not heard of the CIH threat. Even our SysAdmins hadn't given it any more weight than any other overblown myth that circulates around the net. That being said, we had up-to-date antivirus protection, so even those who did hear about it weren't afraid.
We got screwed anyway, and I mean screwed badly.
So what is this little beast? The CIH virus originated in Taiwan and spread there over bootlegged copies of Win95 and 98. It then spread to everything else there. On the 26th of every month it pulls a cute little move that results in your entire drive losing everything. The latest version got dubbed 'Chernobyl' as April 26th is the 13th anniversary of the Ukrainian nuclear meltdown. Besides, I couldn't come up with a better name for a virus that essentially melts down your computer.
We have a large Asian population on Student Visas from Taiwan, Hong Kong and Korea, etc. Thus it stands to reason that our campus was probably the biggest hot spot for CIH outside of Asia. And thanks to one of the highest CD Burner to student ratios in the world and a general cross-pollination of files of all sorts, lets just say that the casualties were high and could have been much higher.
The little bastard got onto the network I dunno how long ago and since that fateful day got passed onto everyone. Come this morning, whoever booted up got absolutely nuked. The Admins managed to save the network before we lost the server or our personal partitions on the network drive, but the network is out indefinately. I'm accessing the forums via a little loophole thanks to a standalone Citrix Winterm system running NT.
There were also heavy losses on personal machines. My roomate, all his friends, and more than a dozen others I can recall offhand lost everything. There were heavy losses amongst the staff as well... the Math Dept.'s system went belly up.
The strange thing is that no Anti-Viruses picked it up even though Symantic and McAfee have had protection ever since last August, leading me to believe this was a mutant.
The moral of the story?
Be afraid. Be very afraid.
�������������-The Breen at Internment Camp 371
Posted by Coddman (Member # 10) on April 26, 1999 09:16 PM:
YOU'RE TELLING ME? *LOL*.....
I was ONLINE when CIH.SPACEFILLER (A.K.A. "Chernobyl") v1.4 hit my computer. I was happily chatting on ICQ.......BOOM. 12:00Am. The virus spreaded through my system like wildfire, occupying every EXE in it's path. The funny thing is it didn't delete anything. It didn't wipe my F.A.T. It didn't clear my partitions. It didn't even wipe my Flash BIOS.......all it did was "squat" in EXE files and render them useless. Anyway, I went and got McCrappy's latest AntiVirus Software. It works like a charm, and I am now free of the virus, with no harm whatsoever done. I tell ya, when it comes to viruses, I am one lucky son of a *****. Anyway.....here's the beef!!!! If you have WIN95.CIH.SPACEFILLER (AKA "Chernobyl") v1.4, YOU'RE TELLING ME? *LOL*.....
I was ONLINE when CIH.SPACEFILLER (A.K.A. "Chernobyl") v1.4 hit my computer. I was happily chatting on ICQ.......BOOM. 12:00Am. The virus spreaded through my system like wildfire, occupying every EXE in it's path. The funny thing is it didn't delete anything. It didn't wipe my F.A.T. It didn't clear my partitions. It didn't even wipe my Flash BIOS.......all it did was "squat" in EXE files and render them useless. Anyway, I went and got McCrappy's latest AntiVirus Software. It works like a charm, and I am now free of the virus, with no harm whatsoever done. I tell ya, when it comes to viruses, I am one lucky son of a *****. Anyway.....here's the beef!!!! If you have WIN95.CIH.SPACEFILLER (AKA "Chernobyl") v1.4, CLICK THIS RESCUE LINK!!!!. It is McCrappy's (Network Associates McAfee) latest VirusScan - version 4.0.2. It will rid your system of CIH, assuming you have any system left. It also has a funny newbie interface, to boot! Download Now from Shareware.Com
I didn't do it. Nobody saw me do it. You can't prove a thing. :-) ....
http://codychat.hypermart.net/mahsurvey/ : Do you use a 28.8? A 56.6?
BTW most motherboards can have their flash memory write-disabled, making them immune to the virus attempt to overwrite flash BIOS memory -- that what customers need to do first. See also BIOS Virus Turns PCs into Paperweights for mass media level discussion about the virus.
Doom Nation Stuff - Covaro
Another victim of the CIH plague. The DoomBot sources have been lost. All that was left is a copy of the version 2.4 beta. Well at least all wasn't lost.
Mordeth News - Linguica
The Mordeth TC Site has a quick update explaining the status of the Mordeth port's source code. Was it spared the wrath of the CIH virus? Will Gaston be tearing out his hair? Go see!
Google matched content
CIH (computer virus) - Wikipedia, the free encyclopedia
Why no really destructive virus?
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: September, 12, 2017