Brief Summary of CIH

CIH is a Windows 95/98 EXE infector. It does not infect documents, DOS or Windows 3.x EXEs, or boot sectors. When an infected file is executed, it stays memory resident, infecting EXE files when they are opened for any reason. If the antivirus program cannot detect the virus in memory, the virus will infect EXEs while the antivirus is scanning them. To disinfect it you'll have to disinfect it from in DOS or use an antivirus program that can disinfect it in memory. AVP is the only program I know of that has disinfection of CIH in memory as a regular part of the program.

This virus has a date-activated payload depending on the variant. The payload of the most common version activated April 26th. The payload will try to erase a large portion of the hard drive and flash the BIOS with garbage. The BIOS flashing routine only works on some computers but the hard drive erasing always works. If you've turned off or changed your the date on your computer on the 26th to avoid the payload of CIH, then you may have escaped the worst of it, but consider the following:

A much better idea to disinfect your computer as soon as possible. Make sure you virus data files are up-to-date and you have an antivirus program in memory at all times. You should also have backups no matter what day it is; you never know when your hard drive will just go *click* and then never work again.

CIH Payload Recovery

I have not used the services of any of these companies or individuals so I can't tell you how good they are. If you've had any experience good or bad with these or you know another I should add to the list, let me know. An inappropriate attempt at recovery may make matters much worse. Make sure you have a way to back out of any changes or use a product that doesn't write to the disk being recovered. Using a program like that writes to the disk being recovered, like Norton Disk Doctor will probably make matters much worse. Be sure to make an Undo disk. If Norton Disk Doctor does not fully succeed, immediately apply the Undo disk. Warning: The undo file for a hard drive make be too large for a floppy disk. If anything goes wrong with the undo disk, things will probably be much worse and you'll have no way to back out of the changes. I would not recommend Norton Disk Doctor. I also do not recommend using FDISK to try to recover the data. It changes the data on the disk and does not provide any way to back out of changes. Its success is even more doubtful than Norton Disk Doctor.

CIH Myths

CIH Infection

Myth: The Chernobyl virus is a variant of CIH.
Fact: The Chernobyl virus is CIH. The name Chernobyl was not used at all until long after CIH was discovered. There is no evidence that the author chose April 26th because of the Chernobyl disaster.

Myth: The CIH virus works on NT.
Fact: It does not work on NT. It can infect files on an NT server from a Windows 95/98 machine.

Myth: The CIH virus does not work on Windows 98/FAT32.
Fact: CIH works just fine on Windows 98 and FAT32.

Myth: The CIH virus is on the Windows 98 CD.
Fact: The Windows 98 CD from Microsoft is not infected. But if you get it from a warez site, who knows.

Myth: The CIH virus is overhyped by antivirus companies.
Fact: The CIH virus has been distributed in magazines, on major websites, and in commercial software.

CIH Payload

Myth: The CIH virus infects the BIOS.
Fact: It does not infect the BIOS. It overwrites part of it with garbage.

Myth: The CIH virus can overwrite any BIOS.
Fact: It can only overwrite some kinds of Flash BIOS. A Flash BIOS can be reprogrammed with software. The exact method for reprogramming it varies from machine to machine. Estimates of the number of computers vulnerable ranges from the majority of computers to 2% of computers. But even if it fails to flash the BIOS, it will still erase the hard drive.

Myth: If the CIH virus succeeds in flashing the BIOS, you have to buy a new computer.
Fact: Some computers have a fail-safe mechanism for reflashing the BIOS that can read a BIOS update from a floppy. It usually communicates using the lights on the keyboard, or by the speaker. Check your computer manual for details. Another possibility is swapping BIOS chips while the computer is running, this will probably void your warranty, and you should only do it if you know the insides of your computer and your Flash BIOS program.
Here are also some links the BIOS recovery sections on some motherboard sites. I'm not sure if these particular boards are vulnerable to CIH's payload; I don't have spare motherboards laying around that I can just trash.

If you find another web page with good solid technical information on BIOS recovery, I will gladly add a link here. If your computer doesn't a BIOS recovery block and the BIOS chip isn't permanently connected to the motherboard you could remove the BIOS chip and replace it with a new one.

Myth: If the CIH virus succeeds in flashing the BIOS, you have to remove the CMOS battery.
Fact: The CIH virus overwrites the BIOS, not the CMOS. The CMOS and the BIOS are two completely different things. The CMOS contains only data kept by a battery. The BIOS contains data and code and is kept in special Flash ROM. The BIOS chips can be "flashed" and they will kept the new information without requiring battery power. When the computer starts the BIOS will read the data in the CMOS. The BIOS also contains default values for the CMOS settings. So if the CMOS were cleared or corrupted(there are some viruses that do that, but none of them are common), the BIOS can restore the default settings. But if the BIOS were cleared or corrupted, there would be no copy of it anywhere on the computer. Without the BIOS, the computer can't boot at all, not even from a floppy disk. That is why it is possible to clear the CMOS but not to clear the BIOS.

Myth: You should [turn off]/[change the date on] your computer on the 26th.
Fact: It's a much better idea to disinfect your computer as soon as possible.

Myth: The most common variant of the CIH virus activates on the 26th of any month.
Fact: The most common variant of CIH activates on April 26:

Effective size:Version:Reports of the virus:Activation Date:
10031.2ManyApril 26
10101.3NoneJune 26
10191.4Very Few26 of any month
1024TNN RemixNoneNone

Myth: Windows is acting strange / The BIOS is acting strange. The CIH virus must have done it.
Fact: The CIH virus is fairly bug-free. The only effect that is usually noticed during the replication period is that WinZip files don't work. Self-checking programs will also detect the virus. If the CIH virus activates and succeeds in flashing the BIOS, then the computer won't do anything and won't display any messages at all. If the CIH virus activates and succeeds in overwriting the Hard Disk but not the BIOS, you will get a message such as "Disk Boot Failure" right when the computer starts.

CIH Disinfection

Myth: I disinfected CIH but now WinZip archives/self-checking programs/Battle.net/etc no longer work. The CIH virus must still be on my system.
Fact: Antivirus software can remove the CIH virus and keep the functionality of the original program in the vast majority of cases. But no antivirus program can provide perfect disinfection all of the time. You'll just have to replace those files from original disks/backups.

Myth: Mcafee calls it W32.CIH.SPACEFILLER. SPACEFILLER means that it fills up all the space on the hard drive.
Fact: SPACEFILLER means that it inserts itself into empty spaces in EXE files so the files don't increase in size when they are infected.

Myth: I disinfected CIH, but it keeps coming back. I have to format the hard drive.
Fact: There are a few possible reasons for CIH coming back:

  1. An infected file was in use during the disinfection. A file cannot be disinfected while it is being used by Windows. The solution is to exit Windows completely and run a DOS antivirus program. AVP is the only Windows 95 program I know of that can handle "in use" files properly.
  2. An infected file is stored in a compressed or archived file such as InstallShield. Use your anti virus program's memory resident feature. It should detect the infected file as soon as it is extracted before it can be run.
  3. Mcafee scan version 3 misses CIH in some files. Use a different antivirus or upgrade to version 4.
Any other myths about CIH? Please e-mail me.

Information about removing viruses.

Virus Page