The CIH virus would emerge some eleven (11) years later, taking the initials of its purported creator, Chen Ing-hau, who was a student at Tatung University in Taiwan. Ing-haus’ virus was perhaps an academic response to the security industry; he holds that his intent was not malicious, but to refute unsubstantiated claims about anti-virus (AV) protection. The CIH virus was the first of its kind to overwrite a computer’s Basic Input-Output System (BIOS) and part of its hard disk. Although the CIH virus was detected in 1998, it wasn’t set to distribute its payload (a technical term for a package of commands which perform a specific task) until in 1999.
How the CIH Virus got it’s “Chernobyl” Name
After his CIH virus spread throughout his college campus, Chen Ing-hau confessed and apologized and helped co-author an AV solution. No charges were brought against him because Taiwanese law, in that day, held that if no one filed a complaint to authorities, an alleged offender could not be prosecuted. But the extent of his virus’ damage would not be realized until its payload’s delivery on April, 26, 1999, which marked the thirteenth (13th) anniversary of the Chernobyl disaster in the Soviet Union. A lot of speculation surrounds the timeliness of the payload, but Ing-hau maintains it was coincidental. The CIH virus would mostly inflict damage throughout Asia and the Middle East, but the United States and the United Kingdom would be impacted, as well.
Why the CIH Virus is called a “Spacefiller”
Because viruses typically append themselves to the end of a program file, AV and computer industry experts classify the CIH virus as a “spacefiller” because of its ability to inject code into empty spaces within program files. This is somewhat different from the Lehigh virus, which is commonly known as a cavity: Here, only one particular file on each disk can be infected, which makes it more comparable to a boot sector virus.
The CIH virus is also economical—weighing in at about one (1) kilobyte (kb). But after its payload is executed, it overwrites the first 1024kb, or one (1) megabyte (MB) of the hard disk with zeros. This deletes the partition table’s content and will produce what is widely known as the blue screen of death. For many computers, the first MB of data on the hard drive is the master boot record (MBR), where the code for executing the operating system (OS) gets loaded. If a second payload is executed, the infected machine will not even start and would require a replacement of the Flash BIOS.
Although solutions were later written to fix infected hard disks and even rewrite their BIOS, there was an estimated $1 billion in damages to computer owners with Windows 95 and 98 operating systems (OS). Macintosh and other Windows machines (namely, its NT and 2000 operating systems) were not affected. A later version of the CIH virus surfaced in 2001 as the LoveLetter Worm, which supposedly contained a nude image of actress and dancer Jennifer Lopez. Others were released as well but present little-to-no danger as limited support for these older operating systems exists.
Variations of the CIH Virus
- CIH version 1.2 (CIH.1003)
- CIH version 1.3 (CIH.1010.A)
- CIH version 1.4 (CIH.1019)