CIH/Chernobyl Virus
- Thursday, April 22, 1999
- Friday, April 23, 1999 -- Updated vendor information
- Monday, April 26, 1999 -- Updated vendor information, added FAQ
- Friday, April 23, 1999 -- Updated vendor information
Overview
We have received a number of information requests about a computer virus named CIH. Anti-virus vendors have given this virus the following names: CIH, Win95.CIH, PE_CIH, Win32.CIH, and W95/CIH.1003. The virus has also been called the Chernobyl virus. Some versions of the CIH virus become active on April 26, 1999 which is the 13th anniversary of the Chernobyl disaster.
In addition to this Incident Note please see the CIH FAQ (Frequently Asked Questions) document.
Description
The CIH virus infects executable files and is spread by executing an infected file. Since many files are executed during normal use of a computer, the CIH virus can infect many files quickly.
There are several variants of the CIH virus. Some activate every month on the 26th, while other variants activate just on April 26th or June 26th. Once the CIH virus activates, the virus attempts to erase the entire hard drive and to overwrite the system BIOS. Some machines may require a new BIOS chip to recover if overwritten by the CIH virus. CIH only affects Win95/98 machines.
More technical details about the CIH virus can be found at the following site.
Solutions
The following items will help to prevent the CIH virus from deleting your data or writing to the BIOS, but if your computer has already been damaged by the CIH virus the following will not help to recover. If your computer has been damaged by the CIH virus we recommend you contact your computer vendor or motherboard vendor to find out how to recover the system BIOS. The data on the hard drive might not be recoverable, but a data recovery service might be able to retore some portion of the data.
Many motherboards have a "jumper" that will enable or disable the ability to write to the BIOS. To prevent the CIH virus or any other program from writing to your computer BIOS, we recommend that you set the motherboard jumpers so that the BIOS can not be modified. Some motherboards vendors may ship with the jumper set in the writable/programmable mode for the BIOS.
This is a known virus and anti-virus vendors are able to detect the CIH virus. To detect and remove current viruses, you must update your scanning tools and anti-virus software with the latest virus signatures or definitions. To properly clean the CIH virus we recommend booting an infected computer from a clean floppy diskette (one that is not infected) and then run anti-virus software.
Vendor Information
Below is a list of anti-virus vendors that have futher infomation and tools relating to the CIH virus.Computer Associates InoculateIT
- Any version of InoculateIT signature file later than 4.15 will detect and cure CIH.
- Current version of InoculateIT signature file is 4.20.
Any of the above virus signatures files can be downloaded at www.support.cai.com
- Any version of InoculateIT signature file later than 4.15 will detect and cure CIH.
Current Virus Signature Versions that Detect and Cure the CIH virus are as follows:
Data Fellows F-Secure Anti-Virus
Network Associates/McAfee
ProLand Software
Sophos
Symantec/Norton AntiVirus
TrendMicro
Copyright 1999 Carnegie Mellon University.