Symantec United States
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2009 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy
security updates

W95.CIH

Category 2


Due to decreased submissions, Symantec Security Response has downgraded this threat level to 2 from 3 as of March 30, 2004.

The CIH virus, also known as Chernobyl, was first discovered in June 1998 in Taiwan. According to the Taipei authorities, Chen Ing-hau wrote the CIH virus. The name of the virus derived from his initials.

CIH is a destructive virus with a payload that destroys data. On April 26, 1999, the payload triggered for the first time, causing many computer users to lose their data. In Korea, it was estimated that as many as one million computers were affected, resulting in more than $250 million in damages.

Although the virus is rather old, Symantec still believes the virus is in the wild and may cause damage to computer users who use outdated virus definitions, or who do not use antivirus software.

 

Also Known As: Chernobyl, PE_CIH, Win95.CIH, Win32.CIH, W95/CIH.1003, CIH.Spacefiller
Type: Virus
Infection Length: Up to 1KB
Systems Affected: Windows 95, Windows 98, Windows Me
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 2000, Windows NT, Windows XP

protection
  • Virus Definitions (LiveUpdate™ Weekly)

    • June 28, 1998

  • Virus Definitions (Intelligent Updater)

    • June 28, 1998

    threat assessment

    Wild

    Threat Metrics
    Low High Medium

    Wild:
    Low

    Damage:
    High

    Distribution:
    Medium

    Damage

    • Payload Trigger: W95.CIH V1.2 and V1.3 (April 26), W95.CIH V1.4 (26th of any month)
    • Payload: Destroys data and causes possible damage to CMOS

    technical details

    CIH is a virus that infects the 32-bit Windows 95/98/NT executable files, but can function only under Windows 95/98 and ME. It does not function under Windows NT or Windows 2000. When an infected program is run under Windows 95/98/ME, the virus becomes resident in memory. To remove the virus, do one of the following:

    • Recommended method: Use the Symantec Security Response CIH Removal Tool, which removes the virus from memory and prevents the need to reboot from a clean system disk.
    • Reboot the computer from a Rescue Disk.
    • Reboot the computer from the Norton AntiVirus (NAV) 2001/2002 CD, if your computer allows this option.

    If this is not done, the virus will infect every file scanned with Norton AntiVirus or with any antivirus program.

    Although Windows NT system files can be infected, the virus cannot become resident or infect files on a computer running Windows NT or Windows 2000. The virus does not function under DOS, Windows 3.1, or on Macintosh computers. Once the virus is resident, the CIH virus infects other files when accessed.

    The files infected by CIH may have the same size as the original files, due to the unique infection mode of CIH. The virus searches for empty, unused spaces in the file. Next, it breaks itself up into smaller pieces and inserts its code into these unused spaces. When NAV repairs a file infected by CIH, it looks for these small viral pieces and removes them from the file.

    As of April, 1999, three known, similar variants of this virus exist. CIH versions 1.2 and 1.3 have a payload that will trigger on April 26, commemorating Chernobyl, the Soviet nuclear disaster, which occurred on April 26, 1986. CIH version 1.4 has a payload that will trigger on the 26th of any month. The payloads of all the versions of CIH are the same.

    The first payload overwrites the hard disk with random data, starting at the beginning of the disk (sector 0) using an infinite loop. The overwriting of the sectors does not stop until the system has crashed. As a result, the computer will not boot from the hard disk or floppy disk. Also, the data that has been overwritten on the hard disk will be very difficult or impossible to recover. You must restore the data from backups.

    The second payload tries to cause permanent damage to the computer. This payload attacks the Flash BIOS (a part of your computer that initializes and manages the relationships and data flow between the system devices, including the hard drive, serial and parallel ports, and the keyboard) and tries to corrupt the data stored there. As a result, nothing may be displayed when you start the computer. A computer technician would need to fix this.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions

    There are two ways to remove this virus:

    • Recommended method: Run the CIH removal tool, and then scan with Norton AntiVirus.
    • Reboot from a Rescue Disk or from a bootable CD-ROM drive using the Norton AntiVirus 2001/2002 CD.

    Recommended removal procedure
    The easiest way to remove this virus is to run the CIH removal tool, and then scan with NAV. The CIH removal tool safely detects and removes all the known strains (as of August 3, 1998) of the W95.CIH (Chernobyl) virus from memory in Windows 95 and Windows 98. If you run this tool before the virus infects your system, the tool will inoculate the computer's memory to prevent the W95.CIH virus from infecting your system until the next system restart.

    CAUTION:
    • If the computer is infected with the W95.CIH virus, run the CIH removal tool before you try to update your antivirus definitions or scan your system. If you try to scan an infected system with an antivirus product without first running this tool, you risk spreading the infection. Once you have used this tool, you can safely scan the computer.
    • The CIH removal tool will not detect or remove the W95.CIH virus from files. It disables the virus in memory, so that Norton AntiVirus can remove the infection without inadvertently spreading the virus.
    You can run the CIH removal tool from either the DOS command line or from a login script, which enables a network administrator to automate the disinfection process. Follow these steps:
    1. Download and run the CIH removal tool, according to the instructions on the download page. Do not restart the computer until you are instructed to do so.
    2. Run LiveUpdate to make sure that you have the most recent virus definitions.
    3. Start NAV and make sure that it is configured to scan all the files. For instructions, read the document, "How to configure Norton AntiVirus to scan all files."
    4. Run a full system scan.
    5. If any files are detected as infected by W95.CIH, click Repair. If NAV reports that a file cannot be repaired, write down the file name, and then click Delete.


    Alternate removal procedure
    This removal procedure will remove the virus without the use of the tool:
    1. Do one of the following:
      • If your computer can boot from the CD-ROM drive and you are using Norton AntiVirus 2001 or later:
        1. Place your Norton AntiVirus CD into the CD-ROM drive and restart the computer.
        2. When the menu appears, proceed to scan and repair viruses.
        3. When the scan has finished, remove the CD from the CD-ROM drive and restart the computer.
        4. Start Norton AntiVirus (NAV) and make sure that NAV is configured to scan all the files. For instructions, read the document, "How to configure Norton AntiVirus to scan all files."
        5. Run a full system scan.
        6. If any files are detected as infected by W95.CIH, click Repair.
      • If your computer cannot boot from the CD-ROM drive, or if you are using Norton AntiVirus 2000 or earlier:
        1. Install Norton AntiVirus on an uninfected computer.
        2. Run LiveUpdate, and then run a full system scan.
        3. On the NAV toolbar, click Rescue.
        4. Follow the prompts to create a Basic Rescue set.
        5. Take the completed Basic Rescue set to the infected computer and insert the "Basic Rescue Boot Disk" into the floppy disk drive. Restart the computer.
        6. When the Rescue Disk window appears, use the arrow keys on the keyboard to select Norton AntiVirus.
        7. On the command line at the bottom of the window, edit the line to read as:

          navdx /a /b+ /m+ /repair /cfg:a /log:c:\nvreplog.txt

          and then press Enter.
        8. After the scan has finished, repeat steps 6 through 8, this time editing the command line to read as:

          navdx /a /b+ /m+ /delete /cfg:a /log:c:\nvdellog.txt

          and then press Enter.
        9. When the scan has finished, the removal process is complete. Remove all the disks from the disk drives, and then restart the computer.
        10. Start NAV and make sure that it is configured to scan all the files. For instructions, read the document, "How to configure Norton AntiVirus to scan all files."
        11. Run a full system scan.
        12. If any files are detected as infected by W95.CIH, click Repair.

        Additional information:

    Recovering after the payload has been delivered
    The virus can do two things when it executes on the 26th day of the month:
    • It can overwrite critical data areas in the first 2,048 sectors of your hard disk. If this happens, you will see a "non-system disk" when the computer boots from the hard drive, or an "invalid media" message when you try to boot from a system floppy disk or from a Rescue disk. To recover using Norton Utilities:
      • If you have the current Norton Utilities (NU) or Norton AntiVirus Rescue disks, use them to restore the Partition and Boot Record information, and then run Norton Utilities Unformat.
      • If you purchased NU after the infection and had more than one partition on the affected disk, then try to run ndd /rebuild from the Emergency Disk, and then run Unformat.
      • If you had only one partition, then you may need to contact a data recovery service.
    • It can overwrite your system BIOS. If that happens, you should contact the BIOS vendor for instructions on how to fix it.

      NOTE: Cases of an overwritten BIOS are extremely rare. If the computer fails to function because the BIOS has been overwritten, then you may, in some cases, need to replace either the BIOS or the motherboard.

    Revision History:

    March 30, 2004: Downgraded from Category 3 to Category 2 based on decreased rate of submissions.


    Write-up by: Motoaki Yamamura