27 years ago today, on April 26, 1999, a 1 KB virus called CIH detonated its payload on hundreds of thousands of Windows 9x machines worldwide, zeroing out hard drives and flashing junk data to motherboard BIOS chips.
The virus, written by Taiwanese university student Chen Ing-hau at Tatung University in 1998, is believed to have infected around 60 million computers and caused an estimated $40 million in commercial damage, earning the nickname "Chernobyl" because its April 26 trigger date happened to coincide with the anniversary of the 1986 nuclear disaster.
Chernobyl was also known as a space filler virus for the way it concealed itself inside executables. Instead of appending code to the end of a file and inflating its size, CIH scanned Windows Portable Executable files for unused gaps between code sections and split its payload across those spaces. Infected files remained the same size, which defeated the file-size checks that many antivirus tools of the era relied on. At roughly 1 KB, the virus was compact enough to distribute itself across a handful of tiny cavities in a single EXE.
Latest Videos From
Once running, CIH used an exploit to escalate from processor ring 3 to ring 0, giving it kernel-level access to hook file system calls and silently infect every executable a user opened. It worked only on Windows 95, 98, and ME; Windows NT was immune.
CIH spread globally through pirated software channels in the summer of 1998, but several infections came from legit commercial sources like IBM’s Aptiva PCs, a batch of which shipped with CIH pre-installed in March 1999, one month before the trigger date. Yamaha also distributed an infected firmware update for its CD-R400 drives, and copies of the tool Back Orifice 2000 handed out at DEF CON 7 in July of the same year also carried the virus.
When CIH activated, its dual payload first overwrote the initial megabyte of the boot drive with zeros, destroying the partition table and rendering the disk's contents inaccessible. It then attempted to flash garbage data to the motherboard's BIOS chip, which, if successful, left the machine unable to power on at all without a chip replacement. The BIOS attack worked primarily on systems using certain Intel 430TX-based chipsets with unprotected flash memory.
Despite the scale of the damage, Taiwanese prosecutors couldn’t charge Chen because no victims came forward with a lawsuit, as required under local law at the time, and Chen had claimed he wrote CIH to challenge antivirus vendors who he felt overstated their products' detection capabilities. The incident prompted Taiwan to pass new computer crime legislation.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Luke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.
Chen had claimed he wrote CIH to challenge antivirus vendors who he felt overstated their products' detection capabilities.
This is something they still do. Crypters have been thwarting AV detections for decades, and yet vendors still market their products as some kind of panacea. There are botnets that go totally undetected for years, though, and all it takes is keeping payloads fresh. Most competent operators recrypt and redeploy once a month or so, which lets them stay out ahead of vendor signatures.
This is something they still do. Crypters have been thwarting AV detections for decades, and yet vendors still market their products as some kind of panacea. There are botnets that go totally undetected for years, though, and all it takes is keeping payloads fresh. Most competent operators recrypt and redeploy once a month or so, which lets them stay out ahead of vendor signatures.
That claim was always ridiculous, because Emil Post already proved in 1946 that virus-or-not is fundamentally undecidable.
"its dual payload first overwrote the initial megabyte of the boot drive with zeros, destroying the partition table and rendering the disk's contents inaccessible."
Difficult to access, not inaccessible. All your data would still be there, and there would be no reboots to "corrupt" it.
