Virus.Win9x.CIH, commonly known as the Chernobyl virus, is one of the most infamous computer viruses in history. It was first discovered in June 1998 and quickly became notorious for its destructive payload. The virus was created by Chen Ing-Hau, a student at Tatung University in Taiwan. The name "Chernobyl" was attributed to the virus because its payload activates on April 26, which is the anniversary of the Chernobyl nuclear disaster.
The CIH virus specifically targets systems running Windows 95, 98, and ME. The virus infects executable files, particularly those with .EXE extensions, and becomes resident in the system's memory. This enables it to infect other executables as they are accessed or run, spreading the virus further throughout the system.
The destructive capability of the CIH virus is twofold. Firstly, it overwrites the first megabyte of the hard drive, which often contains critical system data and can render the system inoperable. This results in a loss of data and can prevent the system from booting. Secondly, the virus attempts to overwrite the system BIOS. The BIOS (Basic Input/Output System) is a crucial part of the computer's firmware that initializes hardware during the boot process. Overwriting the BIOS can cause the system to fail to start at all, requiring a professional to reflash or replace the BIOS chip.
The impact of the CIH virus was significant due to its payload activation date and the extent of its damage. The virus's activation on April 26 led to numerous reports of data loss and system failures around that date each year. This widespread impact highlighted the vulnerabilities in computer systems and the importance of regular backups and robust antivirus measures.
Despite its age, the CIH virus remains a critical part of cybersecurity history and serves as a reminder of the potential destructive power of malware. Modern antivirus software is well-equipped to detect and prevent such threats, but the lessons learned from CIH continue to influence cybersecurity practices today.
The CIH virus's code was sophisticated for its time. Below is a snippet of the disassembled code that shows how the virus operates:
; CIH virus payload code snippet
; This snippet shows the BIOS overwriting routine
mov ax, 0F000h
mov es, ax
mov di, 0FFFCh
mov al, 0
mov cx, 200h
rep stosb
jmp short $+2
xor ax, ax
mov ds, ax
mov es, ax
mov cx, 80h
mov di, 7C00h
rep stosw
mov ax, 0040h
mov es, ax
mov word ptr es:[72], 0
; Overwrite BIOS
mov ax, 0F000h
mov es, ax
mov di, 0FFFCh
mov al, 0
mov cx, 200h
rep stosb
; System crash
cli
hlt