View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>CIH/Chernobyl Virus</h2>
<dl>
<dd>Thursday, April 22, 1999
<dd>Friday, April 23, 1999 -- Updated vendor information
<dd>Monday, April 26, 1999 -- Updated vendor information, added FAQ
</dd></dd></dd></dl>
<h3>Overview</h3>
<p>We have received a number of information requests about a computer
virus named CIH.  Anti-virus vendors have given this virus the
following names: CIH, Win95.CIH, PE_CIH, Win32.CIH, and W95/CIH.1003.
The virus has also been called the Chernobyl virus. Some versions of
the CIH virus become active on April 26, 1999 which is the 13th
anniversary of the Chernobyl disaster.

<p>In addition to this Incident Note please see the CIH FAQ (Frequently Asked Questions) document.

<p><dt><dd><a href="/tech_tips/CIH_FAQ.html">
http://www.cert.com/tech_tips/CIH_FAQ.html</a></dd></dt>
<h3>Description</h3>
<p>The CIH virus infects executable files and is spread by executing
an infected file.  Since many files are executed during normal use of
a computer, the CIH virus can infect many files quickly.

<p>There are several variants of the CIH virus.  Some activate every
month on the 26th, while other variants activate just on April 26th or
June 26th.  Once the CIH virus activates, the virus attempts to erase
the entire hard drive and to overwrite the system BIOS.  Some machines
may require a new BIOS chip to recover if overwritten by the CIH
virus.  CIH only affects Win95/98 machines.

<p>More technical details about the CIH virus can be found at the
following site.

<p><dt><dd><a href="http://www.virusbtn.com/VirusInformation/cih.html">
http://www.virusbtn.com/VirusInformation/cih.html</a></dd></dt>
<h3>Solutions</h3>
<p>The following items will help to prevent the CIH virus from
deleting your data or writing to the BIOS, but if your computer has
already been damaged by the CIH virus the following will not help to
recover.  If your computer has been damaged by the CIH virus we
recommend you contact your computer vendor or motherboard vendor to
find out how to recover the system BIOS.  The data on the hard drive
might not be recoverable, but a data recovery service might be able to
retore some portion of the data.

<p>Many motherboards have a "jumper" that will enable or disable the
ability to write to the BIOS.  To prevent the CIH virus or any other
program from writing to your computer BIOS, we recommend that you set
the motherboard jumpers so that the BIOS can not be modified.  Some
motherboards vendors may ship with the jumper set in the
writable/programmable mode for the BIOS.

<p>This is a known virus and anti-virus vendors are able to detect the
CIH virus.  To detect and remove current viruses, you must update your
scanning tools and anti-virus software with the latest virus
signatures or definitions.  To properly clean the CIH virus we
recommend booting an infected computer from a clean floppy diskette
(one that is not infected) and then run anti-virus software.

<h3>Vendor Information</h3>

Below is a list of anti-virus vendors that have futher infomation and
tools relating to the CIH virus.

<p><b><u>Computer Associates InoculateIT</u></b>
<dt><dd><a href="http://www.cai.com/virusinfo/melissa_virus.htm#cih">
http://www.cai.com/virusinfo/melissa_virus.htm#cih</a>
<ul>
<p>Current Virus Signature Versions that Detect and Cure the CIH virus
are as follows:

  <dd><li>Any version of InoculateIT signature file later than 4.15 will
  detect and cure CIH.

  <dd><li>Current version of InoculateIT signature file is 4.20.

<p>Any of the above virus signatures files can be downloaded at
<a href="http://www.support.cai.com/">www.support.cai.com</a>
</p></li></dd></li></dd></p></ul>
</dd></dt>
<p><b><u>Data Fellows F-Secure Anti-Virus</u></b>
<dt><dd><a href="http://www.datafellows.com/cih/">
http://www.datafellows.com/cih/</a></dd></dt>
<p><b><u>Network Associates/McAfee</u></b>
<dt><dd><a href="http://www.avertlabs.com/public/datafiles/valerts/vinfo/spacefiller411.asp">
http://www.avertlabs.com/public/datafiles/valerts/vinfo/spacefiller411.asp</a></dd></dt>
<p><b><u>ProLand Software</u></b>
<dt><dd><a href="http://www.pspl.com/faqs/cihfaq.htm">
http://www.pspl.com/faqs/cihfaq.htm</a></dd></dt>
<dt><dd><a href="http://www.pspl.com/download/cleancih.htm">
http://www.pspl.com/download/cleancih.htm</a></dd></dt>
<p>
<p><b><u>Sophos</u></b>
<dt><dd><a href="http://www.sophos.de/companyinfo/pressrel/uk/19990310chernobyl.html">
http://www.sophos.de/companyinfo/pressrel/uk/19990310chernobyl.html</a></dd></dt>
<p><b><u>Symantec/Norton AntiVirus</u></b>
<dt><dd><a href="http://www.symantec.com/avcenter/venc/data/cih.html">
http://www.symantec.com/avcenter/venc/data/cih.html</a></dd></dt>
<dt><dd><a href="http://www.symantec.com/avcenter/kill_cih.html">
http://www.symantec.com/avcenter/kill_cih.html</a></dd></dt>
<p><b><u>TrendMicro</u></b>
<dt><dd><a href="http://216.33.21.51/vinfo/virusencyclo/default3.asp?VCode=EN001344">
http://216.33.21.51/vinfo/virusencyclo/default3.asp?VCode=EN001344</a></dd></dt>
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1999 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p>