<
 
 
 
 
×
>
hide
You are viewing a Web site, archived on 09:00:12 Oct 15, 2004. It is now a Federal record managed by the National Archives and Records Administration.
External links, forms, and search boxes may not function within this collection.

 

Frequently Asked Questions About the CIH Virus

Last Updated: April 27, 1999

  1. Have you received any reports of infected machines or damaged machines?
  2. As of 1:30pm EDT (GMT-0400) April 27th, 228 sites including 2328 hosts have reported directly to the CERT Coordination Center that they have suffered damage by the CIH virus. Since not everyone reports incidents directly to the CERT Coordination Center, we believe the actual number of affected systems is higher.

  3. What operating system does the CIH virus affect?
  4. CIH is a Portable Executable (PE) infector. The PE files are used by Windows 95, 98, and NT, but due to the way CIH works, NT systems are not able to spread the virus to other files on the local system. Operating systems other than Windows 95/98 are not affected by the virus. This includes UNIX, Windows NT, and MacOS; however if one of these operating systems is acting as a file server, and the server has an infected file, Windows 95/98 clients can be infected if they execute the file.

  5. How concerned should I be?
  6. If your anti-virus software is up-to-date and you have recently scanned your computer for viruses, you should not have to worry. Keep in mind that other executables that you execute may be infected. This can come from a number of sources: floppy disks, email attachments, internal network servers, and the Internet. Be cautious when running executable files received from others; scan the executable files with your anti-virus software.

    For more information about the other dangers of running executables from other sources see CERT Advisory CA-99-02 available at

http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
  • Do you know the significance of April 26, 1999? Why is the virus called CIH/Chernobyl?
  • April 26, 1999 is the 13th anniversary of the Chernobyl disaster. There are a number of variants of the CIH virus. Some variants will trigger every month on the 26th (CIH.1019) while other variants trigger only on April 26th (CIH.1003, CIH.1010.A) or June 26th (CIH.1010.B). The virus does not look for a specific year.

  • If I receive the virus from someone, should I notify them?
  • Yes. We encourage you to notify them. More information about dealing with incidents can be found in our Incident Reporting Guidelines.

    http://www.cert.org/tech_tips/incident_reporting.html

  • How damaging can this virus be?
  • The damage can be great. Once the virus is triggered, the first 2048 sectors of each hard drive in the computer are overwritten with random data. This area of the hard drive contains important information about the files on the computer. Without this file information, the computer will think the hard drive is empty.

    The virus will also write one byte of data to the BIOS boot block which is critical for booting a computer. Writing to the system BIOS can be prevented by setting a jumper on most motherboards. Contact the computer vendor or motherboard vendor for assistance with their product.

  • How do I recover my data if the CIH virus was triggered?
  • The data might not be recoverable, but a data recovery service might be able to retore some portion of the data.

  • Can I set my computer's date to April 27 or if I don't use the computer on April 26 will I avoid damage?
  • Yes, since one of the triggers for the CIH virus is the date. If you are trying to do this on April 26th we recommend changing the date through the BIOS prior to the operating system starting. This is only a temporary solution since some variants of the CIH virus trigger every month on the 26th. We recommend properly detecting and removing any viruses you may have with your anti-virus software.

  • I am having problems installing my anti-virus package or an update to the anti-virus package. What should I do?
  • Contact the vendor for assistance with their product.

  • I am having problems finding a company's anti-virus software to download or updates for a vendor's anti-virus package. What should I do?
  • Some vendors have given us information about updates to their products for the CIH virus. That information is in incident note IN-99-03:

    http://www.cert.org/incident_notes/IN-99-03.html

    If your vendor is not listed, or you are having difficulty finding the vendor's products or updates, contact the vendor for further assistance.
  • Do you endorse a specific anti-virus product?
  • No. As a federally-funded research and development center (FFRDC), by law we are not permitted to endorse products.

  • Who wrote CIH? Why was CIH written? What crimes has the author committed? What is the status of the investigation?
  • The CERT Coordination Center is a technical organization. We concentrate on the technical aspects of computer security problems. We have no legal authority and we do not "catch the bad guys."

    For more information about the CIH virus see IN-99-03 available at

    http://www.cert.org/incident_notes/IN-99-03.html

    This document is available from: http://www.cert.org/tech_tips/CIH_FAQ.html