Main Page | See live article | Alphabetical index

CIH Virus

CIH, also known as Chernobyl or Spacefiller, is a computer virus written by Chen Ing Hau of Taiwan.


It was first found in Taiwan in June 2, 1998. It later came to spread all over the world. The most common version, CIH 1.2, activates its payload on April 26, the birthday of the author. That also happened to be the day of the year when the Chornobyl, or Chernobyl incident happened.

It was likely that some software pirate groups contracted the virus over the summer. Some pirated software had the virus, and so it spread rapidly.

There is an unverified rumor about the "PWA-cracked copy" of Windows 98 that was supposedly infected by the virus. It supposedly flowed around on July 1998.

Other commercial sources had gotten tainted by the virus. On August 1998, a download on the Origin Systems website related to the game Wing Commander was infected. So were cover CDss of some European gaming magazines. August 26, 1998 saw CIH 1.4's first widespread payload, which garnered media attention. On September 1998, Yamaha shipped a firmware update to their CD-R400 Drives that was infected with the virus. On October 1998, a demo version of the Activision game SiN that was propogated by users got infected due to contact with an infected file on a certain user's machine. That company's infection came from a group of Aptiva PC's shipped by IBM during March 1999 with the CIH virus pre-installed. The computers were shipped around a month before the CIH payload. The payload of CIH v1.2 activated for the first time in the public eye on April 16, 1999. This was a catastrophic event, and an untold number of computers worldwide were affected. By April 16, 2000, a lot of the damage was happening in Asia, but the virus wasn't as widespread. On March 2001, the Anjulie Worm was discovered. It drops CIH v1.2 into the system as part of its payload. Today, CIH is not as widespread as it once was.

The virus made another comeback in 2001 when a variant of the Loveletter Worm in a VBS file containing a dropper routine for the CIH virus was circulated around the internet, disguised as a nude picture of Jennifer Lopez.

A modified version of the virus called CIH.1106 was discovered in December 2002, but it is not a serious threat.

CIH is considered a threat only if it infects programs used by mass-mailing computer worms, such as Klez, or if the Anjulie Worm comes into play. However, CIH only works on Windows 95, 98, and Windows ME, greatly limiting its effects.

Virus Specifics

CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME. CIH does not spread under Windows NT, Windows 2000, or Windows XP.

Due to the fact that CIH infects a Portable Executable file, it fills in the gaps of empty space commonly seen in PE files. Hence, that earned CIH another name, "Spacefiller". The size of the virus is 1 kilobyte, but files do not grow at all. It uses methods of jumping from processor ring 3 to 0 to hook system calls.

The payload, which is considered extremely dangerous, first involves the virus overwriting the hard drive with junk, beginning at sector 0. This causes the machine to hang, and all data on the machine is lost.

The second payload tries to overwrite the Flash BIOS with junk also. This routine will work on machines based on the Intel 430TX chipset, provided that the protection jumper is turned off. The aforementioned chipset allows writing to the Flash BIOS by a computer program.

For the first payload, the hard disk can be sent to a company that can recover the data if it is extremely important. Otherwise, one should run FDISK and repartition and reformat the hard drive. However, if the second payload goes off without a hitch, the computer will not start at all. A technician is required to reprogram or replace the Flash BIOS chip.

CIH v1.2/CIH.1103

This variant is the most common one and activates on April 26. It contains the string: CIH v1.2 TTIT.

CIH v1.3/CIH.1010A and CIH1010.B

This variant also activates on
June 26. It contains the string: CIH v1.3 TTIT.

CIH v1.4/CIH.1019

This variant acts on the 26th of any month. It is still in the wild, although it isn't that common. It contains the string: CIH v1.4 TATUNG.


This is a minor, fairly recent variation that appeared on
December 2002.

Jennifer Lopez nude e-mail

Subject:Where are you

External Links