CIH (computer virus)
From Wikipedia, the free encyclopedia
CIH, also known as Chernobyl or Spacefiller, is a computer virus written by Chen Ing Hau (陳盈豪 / Chen YingHao) of Taiwan. It is considered to be one of the most harmful widely circulated viruses, overwriting critical information on infected system drives, and more importantly, in some cases corrupting the system BIOS.
The name "Chernobyl Virus" was coined some time after the virus was already well-known as CIH, and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus writer's birthday) and the Chernobyl accident, which happened in Ukraine on April 26, 1986.
Contents |
[edit] History
In September 1998, Yamaha shipped a firmware update to their CD-R400 Drives that were infected with the virus. In October 1998, a demo version of the Activision game SiN was infected by one of its mirror sites.[1] In March 1999, several thousand IBM Aptivas shipped with the CIH virus,[2] just one month before the virus would trigger.
CIH's dual payload was delivered for the first time on April 26, 1999, with most of the damage occurring in Asia. CIH filled the first 1024 KB of the host's boot drive with zeros and then attacked certain types of BIOS. Both of these payloads served to render the host computer inoperable, and for laypersons the virus essentially destroyed the PC. Technically, however, it was possible to replace the BIOS chip, and methods for recovering hard disk data emerged later.
Today, CIH is not as widespread as it once was, due to awareness of the threat and the fact it only affects older Windows 9x (95, 98, Me) operating systems.
The virus made another comeback in 2001 when a variant of the Loveletter Worm in a VBS file that contained a dropper routine for the CIH virus was circulated around the internet, under the guise of a nude picture of Jennifer Lopez.
A modified version of the virus called CIH.1106 was discovered in December 2002, but it is not a considered serious threat.
CIH is considered a threat only if it infects programs used by mass-mailing computer worms, such as Klez, or if the Anjulie Worm comes into play.
[edit] Virus specifics
CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME. CIH does not spread under Windows NT, Windows 2000, Windows XP or Windows Vista.
CIH infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files, and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned CIH another name, "Spacefiller". The size of the virus is around 1 kilobyte, but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processor ring 3 to 0 to hook system calls.
The payload, which is considered extremely dangerous, first involves the virus overwriting the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector 0. This deletes the contents of the partition table, and may cause the machine to hang.
The second payload tries to write to the Flash BIOS. Due to what may be an unintended feature of this code, BIOSes that can be successfully written to by the virus have critical boot-time code replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on the Intel 430TX chipset, but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines, and has only one write-enable sequence.
For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition is FAT32, and over about one gigabyte, all that will get overwritten is the MBR, the partition table, the boot sector of the first partition and the first copy of the FAT of the first partition. The MBR and boot sector can simply be replaced with copies of the standard versions, the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy. This means a complete recovery with no loss of user data can be performed automatically by a tool like Fix CIH.
If the first partition is not FAT32 or is smaller than 1GB the bulk of user data on that partition will still be intact but without the root directory and FAT it will be difficult to find it especially if there is significant fragmentation.
If the second payload goes off without a hitch, the computer will not start at all. A technician is required to reprogram or replace the Flash BIOS chip, as most systems that CIH can affect predate BIOS restoration features.
[edit] CIH v1.2/CIH.1103
This variant is the most common one and activates on April 26. It contains the string: CIH v1.2 TTIT.
[edit] CIH v1.3/CIH.1010A and CIH1010.B
This variant also activates on June 26. It contains the string: CIH v1.3 TTIT.
[edit] CIH v1.4/CIH.1019
This variant acts on the 26th of any month. It is still in the wild, although it is not that common. It contains the string CIH v1.4 TATUNG.
[edit] CIH.1049
This variant activates on August 2 instead of April 26.
[edit] CIH.110664
This is a minor, fairly recent variation that appeared on December 2002.
[edit] CIH.110007
The CIH got a new look, while scanning the security holes inside the Windows Networks. Windows XP got prone to it when some people disliked the windows validation tool. CIH caused IP Conflicts, Font removal, System Netbios Conflicts on the many windows xp/server systems. From a report by astalavista group, this can infect network systems because many anti-virus software are unaware of this type of virus, and it actually does not harm a system, but prompt conflicts on port 139 of the windows systems.
[edit] Removal
Most antivirus software will recognize and remove CIH. However, CIH has a lasting legacy even after infected files have been cleaned, whether or not the payload was delivered. Due to its infection mechanism, most antivirus software can deactivate the virus but cannot completely clean infected files. This has certain ramifications. First, infected files cannot be restored to their original state, and will therefore produce different hashes or checksums than the original file, which could cause the file to fail integrity checks. Secondly, because the virus signature is still present within the file, the antivirus software will continue to flag infected files, usually as "CIH (inactive)" or some variation thereof. The only way to be completely rid of CIH remnants is to replace the affected files with copies of untouched originals. For systems that were thoroughly infected, this likely entails a complete reinstallation of the operating system and software.
[edit] References
[edit] See also
[edit] External links
- F-Secure CIH Database
- F-Secure CIH Technical Page
- Symantec CIH Technical Page
- News article about the Jennifer Lopez e-mail
- FIX-CIH - Site by Steve Gibson on how to repair most of the damage from CIH
- CIH Virus Assembler Source Code