CIH was one of the first viruses capable of destroying hardware by overwriting BIOS firmware.
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
The virus, written by Taiwanese university student Chen Ing-hau at Tatung University in 1998, is believed to have infected around 60 million computers and caused an estimated $40 million in commercial damage, earning the nickname "Chernobyl" because its April 26 trigger date happened to coincide with the anniversary of the 1986 nuclear disaster.
Chernobyl was also known as a space filler virus for the way it concealed itself inside executables. Instead of appending code to the end of a file and inflating its size, CIH scanned Windows Portable Executable files for unused gaps between code sections and split its payload across those spaces. Infected files remained the same size, which defeated the file-size checks that many antivirus tools of the era relied on. At roughly 1 KB, the virus was compact enough to distribute itself across a handful of tiny cavities in a single EXE.
You may like CanisterWorm, a persistent malware worm, uses time zone to identify and wipe Iranian machines for no apparent reason. Zombie ZIP vulnerability lets malware stroll past gates of 95% of AV suites HWMonitor and CPU-Z developer CPUID breached by unknown attackers Once running, CIH used an exploit to escalate from processor ring 3 to ring 0, giving it kernel-level access to hook file system calls and silently infect every executable a user opened. It worked only on Windows 95, 98, and ME; Windows NT was immune.
CIH spread globally through pirated software channels in the summer of 1998, but several infections came from legit commercial sources like IBM ’s Aptiva PCs, a batch of which shipped with CIH pre-installed in March 1999, one month before the trigger date. Yamaha also distributed an infected firmware update for its CD-R400 drives, and copies of the tool Back Orifice 2000 handed out at DEF CON 7 in July of the same year also carried the virus.
When CIH activated, its dual payload first overwrote the initial megabyte of the boot drive with zeros, destroying the partition table and rendering the disk's contents inaccessible. It then attempted to flash garbage data to the motherboard's BIOS chip, which, if successful, left the machine unable to power on at all without a chip replacement. The BIOS attack worked primarily on systems using certain Intel 430TX-based chipsets with unprotected flash memory.
Despite the scale of the damage, Taiwanese prosecutors couldn’t charge Chen because no victims came forward with a lawsuit, as required under local law at the time, and Chen had claimed he wrote CIH to challenge antivirus vendors who he felt overstated their products' detection capabilities. The incident prompted Taiwan to pass new computer crime legislation.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/the-chernobyl-virus-turned-27-today-and-it-could-brick-your-pc-in-ways-modern-malware-cant#main
- https://www.tomshardware.com/subscription
- Microsoft will allow users to indefinitely pause updates in Windows 11 — first change in over a decade to the mandatory update policy
- You can now 3D print your own Noctua fans and accessories — CAD files available as free downloads for Noctua's top-rated products
- AMD's memory-boosting EXPO 1.2 is here, adds support for three Chinese memory vendors — performance gains could be muted until Zen 6
- Turtle Beach's new mouse has a 2.25-inch touchscreen and hotswap batteries that last 15 hours apiece — 'MC7' costs $160, part of company's new Command Series pe
- Enthusiast builds 3D-printed retro PC case and shares the files so you can print it yourself — design fits ITX mobo and ATX PSU, comes with front 3.5-inch bay f
Informational only. No financial advice. Do your own research.