Virus Warning:

CIH Virus Technical Details:

This virus is known as CIH, Win32/CIH, Win95/CIH or PE_CIH. There are currently five versions of this virus. They are all designed to infect Windows 32 bit executables (PE type executable) but none of these currently work on NT systems. They work on some releases of Windows 95 and Windows 98. When an infected program (.EXE file) is executed, the virus remains resident in memory and will infect other programs as they are accessed. We have reports that CIH was spread via the usenet news groups recently (especially Warez related groups!). This appears to have been done deliberately. This virus is not too likely to spread from machine to machine on it's own (it tends to be rather obvious and produce a number of program crashes). CIH refuses to infect some self-extracting files. CIH has no stealth capability but some variants of CIH infect executables without increasing the size of the file. The size of all five variants is little over 1,000 bytes.

The CIH Virus Payload (BIOS Attack)

Two variants have no destructive payload but the most common variant activates on the 26th of every month (others on the 26th of specific months). Here is what happens on the 26th:

CIH attempts to overwrite the BIOS on Pentium PCs that have flashable BIOS PROMS (the chip that contains the low level BIOS software) on Intel 430TX compatible chips. PCs that are protected by a write-protect jumper and Intel motherboards with the iFlash logo on the BIOS chip are not vulnerable to this attack. If the PC is vulnerable, it will be unbootable (even from diskette) after this attack and the BIOS chip will need to be replaced or reprogrammed from an outside source. The PC can't be booted in order to reflash (reprogram) the chip normally.
It overwrites the first 14 sectors of your hard disk, further making your PC unbootable (this works on almost all PCs) but the disk can be be made bootable and restored from a backup.

If your PC has a flash BIOS write protect jumper on the motherboard, we strongly encourage you to make sure it is in the write-protect position!

What is a Flashable BIOS?

All PCs contain a chip called a BIOS chip. This is a ROM (Read Only Memory) or a PROM (Programmable Read Only Memory) chip containing software that is essential to boot your PC. The BIOS software contained on this chip is the software that is immediately executed when you turn on your PC and provides the low-level access to your disk, video, and keyboard. It reads your configuration from the CMOS configuration memory and then loads the boot programs from your hard disk (or floppy). If this BIOS software is damaged, there's a good chance that your PC will be unable to boot (even from floppy) or recognize the hardware attached to it. On older PCs (pre-Pentium) the BIOS is almost always a ROM (Read Only Memory) chip and can not be reprogrammed. On newer PCs, this chip is usually a PROM (Programmable Read Only Memory). This type of chip can be rewritten. Sometimes the chip can be rewritten by software running on the PC itself. Such chips are usually referred to as "flashable" BIOS chips. The chip can be "flashed" or rewritten by special software running on the PC.

There is no single standard way to write to a flashable BIOS chip. Different commands must be used for different types of these chips. The CIH virus knows how to overwrite the contents the 430TX compatible chips. If this happens, the PC will be unbootable, until the chip is reprogrammed or replaced.