CIH (computer virus)

CIH
Surname	CIH
Aliases	Chernobyl, space filler
Known since	1998
First location	Taiwan
Virus type	File virus
Authors	Chen Hau Ing
Host files	Executables
Polymorph	No
Stealth	Yes
Memory resident	Yes
system	Windows 95, 98, ME

CIH is a group of computer viruses . The CIH virus attacks program files. It was written by the Taiwanese programmer Chen Ing Hau . CIH could also cause firmware defects.

Chen Ing Hau completed the virus on April 26, 1998. A computer infected with CIH was first discovered on June 25 of the same year.

The virus then spread rapidly and was found in almost all industrialized and emerging countries. In the years around the turn of the millennium, CIH infections were among the most common malware finds. In April 2001 CIH was still widespread. 2.8% of the infections reported to the software manufacturer Sophos related to W95 / CIH findings.

The CIH viruses belong to the class of file viruses .

Aliases

CIH : The abbreviation is in the program code of the first virus versions. It stands for the initials CIH by Chen Ing Hau.
Chernobyl or Chernobyl as a name for the virus only spread when it was already known. The date for the payload - trigger the original version of the April 26, is also the anniversary of the Chernobyl nuclear disaster in 1986. But the real reason for the date is trivial: The April 26th, 1998 was the day when Chen Ing Hau had finished the virus.
Spacefiller is a term used to refer to the distinctive technique CIH uses to infect executable files. Most viruses write their code to the end of the host file . This is the least likely to damage the file. But it will then be correspondingly larger. CIH examines the code in the host file and tries to find loopholes in it. The virus writes its code in these holes and infects the program without changing the file size. This enabled CIH to hide more effectively from the user and the modern antivirus scanners.
Since there is no fixed nomenclature for computer viruses , the manufacturers of antivirus software also have different names for the virus. The best known include:
- Avast : Win95: CIH
- Avira : W95 / CIH.A
- Eset : Win95 / CIH
- F-Secure : Virus: DOS / CIH
- Kaspersky Lab : Virus.Win9x.CIH or Win95.CIH
- McAfee : W95 / CIH.1019a
- Microsoft : Virus: Win95 / CIH.xxxx
- Bitdefender : Win95.CIH.Gen
- Sophos : W95 / CIH-10xx
- Symantec : W95.CIH
- Sunbelt : Win32.CIH.xxx (v)
- Trend Micro : PE_CIH.DAM

Versions and derivatives

CIH v1.2 / CIH.1003 is the original variant. The payload will be triggered on April 26th. The virus code contains the string: CIH v1.2 TTIT . CIH.1003 also bears the version name Kahba .
CIH v1.3 / CIH.1010.A and CIH1010.B are variants that will also be activated on April 26th. The virus code contains the string: CIH v1.3 TTIT . CIH.1010.A has the version name Scharmut and CIH1010.B the name Cay .
CIH v1.4 / CIH.1019 is a version that is triggered on the 26th of each month. CIH.1019 had the longest reported infections. The virus code contains the string: CIH v1.4 TATUNG . The version name is Eiri
CIH.1049 is a variant that activates its payload every August 2nd instead of April 26th.
CIH.1106 ignites the payload on the 2nd of every month.

The malware encyclopedia on the website of Microsoft included in June 2020, a total of 27 different derivatives of the original CIH virus.

functionality

Hexdump of the first CIH virus

The file virus is memory resident and infects .exe files ( Portable Executable ) under Windows 95 , Windows 98 and Windows ME . Windows NT and all Windows operating systems based on it are not affected , which means that the virus is practically irrelevant today.

CIH only triggers its malicious code (payload) on preprogrammed days, which means that affected computers usually remain functional for a long time and infected files can be passed on. The first version was triggered once a year when the system date reached April 26th. Therefore, CIH is a so-called birthday virus.

Effects

The virus first appeared in Taiwan on June 2, 1998, but it later spread around the world. On April 26, 1999, the author's birthday, as well as the anniversary of the Chernobyl nuclear disaster in 1986, the CIH damage routine was activated for the first time, which gave the virus its alternative name Chernobyl . Countless computers around the world were affected by the virus. Two variants of the program, on the other hand, are activated once on June 26th and the other on the 26th day of each month.

Payload

The damage routine first overwrites the partition table in the master boot record of the hard disk with zeros, which makes it impossible to access the data on the hard disk without special recovery solutions. It also tries to overwrite the computer's BIOS . However, this only works on computers with Intel -430TX chipsets , on which protection against overwriting the BIOS is either missing or not activated. Once the BIOS has been overwritten, the affected PC will no longer start; the BIOS chip on the motherboard must be replaced.

To protect the Flash BIOS from being overwritten, there is a jumper on many motherboards that is supposed to prevent unintentional changes to the BIOS. However, this does not guarantee any protection, since with some BIOS versions the write protection for the Flash BIOS is set by the software despite such a jumper. The virus takes advantage of this and unceremoniously deactivates the write protection. There is no hardware protection for the partition table.

Situation around 1999

The spread was apparently facilitated by the fact that illegally copied software was contaminated with the virus, as well as legal software products. Because commercial sources were also affected by CIH:

In August 1998, a download for the game Wing Commander: Secret Ops was infected.
Issue CDs from European game magazines were also affected.
Was also known the case of a firmware - update for Yamaha CD drives.
Some IBM -Aptiva-PCs were delivered infected with CIH in March 1999.
The hacker group Cult of the Dead Cow had distributed its own CDs at the DefCon industry conference in 1999, which turned out to be infected with the CIH v1.2 TTIT virus. The panel apologized and took full responsibility. The group vigorously denied the allegation that they deliberately infected the CDs.
2011 E-Threat analyst discovered the software company Bitdefender an infected with CIH Windows 98 video drivers on Microsoft's FTP - Server . Since the virus is still dangerous with such old operating systems, there was a kind of time bomb on the server.

Identification and removal

The first versions of CIH were still recognized in 1998 by almost all antivirus software in use.
Windows systems based on NT were not susceptible, as were operating systems from other manufacturers.

Individual evidence

↑ ^a ^b ^c ^d https://malware.wikia.org/wiki/CIH
↑ https://www.crn.de/security/chernobyl-virus-aus-den-90ern-wieder-aufgetaucht.92039.html
↑ https://www.zdnet.de/2063321/top-ten-der-viren-im-april/
↑ https://www.trendmicro.com/vinfo/de/threat-encyclopedia/malware/PE_CIH.DAM/ F-Secure.com: Thread Descriptions PE_CIH.DAM
↑ ^a ^b ^c ^d ^e ^f https://www.trendmicro.com/vinfo/de/threat-encyclopedia/malware/pe_cih.1003 TrendMicro.com: Threat Encyclopedia PE_CIH.1003
↑ ^a ^b https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win95/CIH&threatId= Microsoft.com: Malware Encyclopedia Description Win95 / CIH
↑ https://www.zdnet.de/2126770/panda-warnt-vor-cih-1106/ ZDFnet.de: Panda warns against CIH.1106 by Dietmar Müller , November 2002
↑ http://www.golem.de/9808/1550.html
↑ https://www.computerwoche.de/a/hacker-infiegen-sich-selbst,508819
↑ https://www.crn.de/security/chernobyl-virus-aus-den-90ern-wieder-aufgetaucht.92039.2.html

Web links

VirusBulletin.com: Thoughts Mass Destruction by Helen Martin December 1, 2005
Heise.de: Will the inventor of the CIH virus remain unpunished? by Florian Rötzer , May 1, 1999
F-Secure.com: CIH Technical Page database entry
Sophos.com: Viruses and Spyware: W95-CIH database entry
Sophos.com: Memories of the Chernobyl Virus , April 26, 2011
Sophos.com: CIH , June 1998
Symantec CIH Technical Page database entry
GRC.com: FIX-CIH Instructions on how to fix the damage caused by the CIH payload
Github.com: CIH 1.4 source code source code
DiariOTI.com: Dreador de chernobyl arriesga 3 anos en prison
Definitions.net: CIH database entry
Sides.de: CIH database entry
Web.Archive.org -> ZDNet.co.uk: US Report: Gamers believe Activision's 'SiN' carries CIH virus
Web.Archive.org -> ZDNET.co.uk: News article about the Jennifer Lopez e-mail
Web.Archive.org -> F-Secure.com: F-Secure CIH Database database entry

[MalwareWiki-1] ttps://malware.wikia.org/wiki/CIH

[2] ttps://www.crn.de/security/chernobyl-virus-aus-den-90ern-wieder-aufgetaucht.92039.html

[3] ttps://www.zdnet.de/2063321/top-ten-der-viren-im-april/

[4] ttps://www.trendmicro.com/vinfo/de/threat-encyclopedia/malware/PE_CIH.DAM/ F-Secure.com: Thread Descriptions PE_CIH.DAM

[trendmicro-5] ↑ ^a ^b ^c ^d ^e ^f https://www.trendmicro.com/vinfo/de/threat-encyclopedia/malware/pe_cih.1003 TrendMicro.com: Threat Encyclopedia PE_CIH.1003

[microsoft-6] ttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win95/CIH&threatId= Microsoft.com: Malware Encyclopedia Description Win95 / CIH

[7] ttps://www.zdnet.de/2126770/panda-warnt-vor-cih-1106/ ZDFnet.de: Panda warns against CIH.1106 by Dietmar Müller , November 2002

[8] ttp://www.golem.de/9808/1550.html

[9] ttps://www.computerwoche.de/a/hacker-infiegen-sich-selbst,508819

[10] ttps://www.crn.de/security/chernobyl-virus-aus-den-90ern-wieder-aufgetaucht.92039.2.html