CIH Virus and How It Really Works

CIH Virus

In 1940 mathematician John von Neumann was the first person to discuss the idea about CIH virus and in 1966 “Theory of Self-Reproducing Automata” was published.

The publication was a thought experiment that speculated that it would be possible for a “mechanical organism—such as a piece of computer code—to damage machines, copy itself and infect new hosts, just like a biological virus.”

Today computer malware proliferated just like John von Neumann speculated; he called it “mechanical organism,” we call it malware; a software that is designed to take over or damage a computer without the user’s knowledge or approval. 

What is a computer virus? According to, a Virus is a program that attempts to damage a computer system and replicate itself to other computer systems.

Some noted characteristics of a CIH virus are

  •   A virus requires a replication mechanism, which is a file that it uses as a host. When the host file is shared, the Virus will attack to next host user. 
  •   Viruses typically attach to files with execution capabilities such as .doc, .exe, and .bat extensions. Many viruses are distributed via email and go to everyone in your address book, or it can be spread by via CD/DVD or flash drive. 
  •   The Virus only replicates when an activation mechanism is triggered. For example, each time the infected file or program executes, the Virus is activated. 
  •   The Virus programmed with an objective, which is usually to destroy, compromise, or corrupt data.

CIH virus computer

A 24 years old student in Taiwan named Chen Ing-Halu created Chernobyl Virus, (CIH, Initials of the hacker), the first computer virus that affected computer hardware.

I chose CIH because it was the first time a virus was programmed to activate its payload on April 26 (April 26, 1986, Chernobyl’s react accident anniversary), deletes all information from the hard disc by formatting it, overwrite system BIOS, causing the machines to crash.

The CIH Virus, first discovered by the authorities of his home country, Taiwan in 1998, and quickly became one of the most commonly encountered viruses in the wild. 

The CIH Virus was created to attack Microsoft Operating Systems (from Win 95 up to Win XP if Windows Validation tool was disabled) and it infected executable files with an Exe extension.

During 1998 pirated software were very common, and the first group to get affected by the Virus were software pirates dedicated to transferring games files over the Internet like P2P networks or as known as torrents.

Through torrents or CD’s CIH rapidly spread throughout the world.  In Korea, the CIH Virus effected approximately one million computers totaling $250 million.

In the US, machines in Boston College, infected, many destroyed or lost their information and final exams had to cancel. Also, computers in Singapore, Hong Kong, India, and many other countries around the world infected with the CIH.

Furthermore, some companies unintentionally released their software infected the CIH Virus.” Three gaming magazines from Europe shipped CDs infected with the CIH and one even reportedly included a note informing users about the Virus and suggesting they disinfect their computers after using the CD.

Yamaha shipped an infected firmware upgrade for their CD-R400 drives. IBM Aptiva computers came with the Virus pre-installed in 1999 March.” It is estimated that the CIH infected over 60 million computers and causing $20 billion in damages worldwide.

The creator of Chernobyl/CIH virus Chen Ing-Halu was caught by the police but was released without any penalty because were no laws against hacking in Taiwan. 

CIH/Chernobyl Virus was a nightmare for Microsoft Operating Systems users. The CIH virus created with the intent to destroy computer machines.  How the CIH Virus activated its payload?

First, it captures the Installable File System (IFS), and the Virus will detect when a file with an extension .exe used. Second, EXE files in Portable Executable (PE) format have unused space within the file.

Therefore when the Virus extracts its payload, it doesn’t increase. EXE file size and no triggers go off to alarm antivirus software.

Lastly, the CIH Virus will infect all remaining. EXE files in the system. The CIH Virus intent was to delete all information from hard disk by reformatting it, then overwrite computers BIOS.

When a user starts his/her computer, the BIOS code accesses hardware to test system memory and disk drives if the computer is booted, then the hard disk will load the operating system at boot.

When CIH is active on user’s machine, this messages with appearing at boot “Non-System Disk when booting from the hard drive and invalid media when trying to boot from floppy)”.

At this point, the Virus has erased the hard drive and overwrote the system’s BIOS as well. CIH is also known as “Spacefiller”. It was given this name is because most viruses write their code to the end of the infected file.

What the CIH did was look for gaps in the existing program code where it writes its own code.  With this ability, it does not increase the file size and in doing so it helps the Virus avoid detection.

Symantec recommendation removal process of CIH

Use Symantec CIH removal tool to clean infections from CIH virus. This tool will remove the Virus from memory and prevents the need to reboot from a clean system disk.

Disable System Restore (Windows Me/XP) because System Restore may back up the Virus, worm, or Trojan on the computer.

Update the virus definitions.

Run a full system scan.




Post Author: Sadman

1 thought on “CIH Virus and How It Really Works

    Ellyn Retterbush

    (July 9, 2019 - 11:06 am)

    My brother recommended I might like this website. He was once entirely right. This post actually made my day. You cann’t consider simply how so much time I had spent for this info! Thank you!|

Leave a Reply

Your email address will not be published. Required fields are marked *