Paleo Pete
03-27-2001, 11:26 PM
I was just reminded about the CIH, or Chernobyl virus by someone on IRC who had a problem with it recently. Thought I would post a notice and maybe save some of our faithful readers some headaches.
CIH activates on April 26, the anniversary of the Chernobyl disaster. Some variants activate the 26th of any month. This virus is a particularly nasty one, it can overwrite the first 1MB of each hard drive on the system, effectively making them useless, and can also in some cases flash the BIOS, writing garbage over it. In this case, the BIOS chip must be replaced. the computer will not boot at all until it is replaced with a clean one. IF the hard drives are overwritten, portions of data can sometimes be retrieved, but usually not all. If the BIOS is overwritten, or "flashed" it can make the computer totally useless, if you can't replace the BIOS chip a new motherboard will be necessary.
CIH was spread by pirated software, which spread it quite quickly, on CD's contained in magazines, and IBM also shipped a number of Aptiva machines with it preinstelled. Before you ask, no, IBM was not at fault. It affects EXE and ZIP files, and since it affects EXE files it can very quickly infect a large number of files since it is spread to each one as it is opened.
From what I have been able to find out it must be removed in DOS, not Windows because of being a problem with EXE files. It can also remain in memory, and the Master Boot Record as well. It also inserts its virus code in the empty spaces in files, so it does not increase file size, making detection more difficult.
April 26 is not far away, and this virus is still out there, so everyone would be well advised to make sure they have recent DAT files for their virus scanners, scan the system before April 26 and make sure it is clean, and scan after any downloads.
A search of the virus encyclopedia at Trend Micro (http://www.antivirus.com) should turn up plenty info about CIH and all its variants. A google search will turn up lots of hits also.
Make SURE you write protect all your Start Up disks, and make a clean one long before this virus is scheduled to activate again.
Sorry for such a long post, but I wanted to include all the info I could, since this is such a nasty critter...
------------------
Eagles may soar, but weasels don't get sucked into jet engines!
Note: Please post your questions on the forums, not in my email.
Computer Information Links (http://www.geocities.com/paleopete/)
CIH activates on April 26, the anniversary of the Chernobyl disaster. Some variants activate the 26th of any month. This virus is a particularly nasty one, it can overwrite the first 1MB of each hard drive on the system, effectively making them useless, and can also in some cases flash the BIOS, writing garbage over it. In this case, the BIOS chip must be replaced. the computer will not boot at all until it is replaced with a clean one. IF the hard drives are overwritten, portions of data can sometimes be retrieved, but usually not all. If the BIOS is overwritten, or "flashed" it can make the computer totally useless, if you can't replace the BIOS chip a new motherboard will be necessary.
CIH was spread by pirated software, which spread it quite quickly, on CD's contained in magazines, and IBM also shipped a number of Aptiva machines with it preinstelled. Before you ask, no, IBM was not at fault. It affects EXE and ZIP files, and since it affects EXE files it can very quickly infect a large number of files since it is spread to each one as it is opened.
From what I have been able to find out it must be removed in DOS, not Windows because of being a problem with EXE files. It can also remain in memory, and the Master Boot Record as well. It also inserts its virus code in the empty spaces in files, so it does not increase file size, making detection more difficult.
April 26 is not far away, and this virus is still out there, so everyone would be well advised to make sure they have recent DAT files for their virus scanners, scan the system before April 26 and make sure it is clean, and scan after any downloads.
A search of the virus encyclopedia at Trend Micro (http://www.antivirus.com) should turn up plenty info about CIH and all its variants. A google search will turn up lots of hits also.
Make SURE you write protect all your Start Up disks, and make a clean one long before this virus is scheduled to activate again.
Sorry for such a long post, but I wanted to include all the info I could, since this is such a nasty critter...
------------------
Eagles may soar, but weasels don't get sucked into jet engines!
Note: Please post your questions on the forums, not in my email.
Computer Information Links (http://www.geocities.com/paleopete/)