Frequently Asked Questions About the CIH VirusLast Updated: April 27, 1999
As of 1:30pm EDT (GMT-0400) April 27th, 228 sites including 2328 hosts have reported directly to the CERT Coordination Center that they have suffered damage by the CIH virus. Since not everyone reports incidents directly to the CERT Coordination Center, we believe the actual number of affected systems is higher. CIH is a Portable Executable (PE) infector. The PE files are used by Windows 95, 98, and NT, but due to the way CIH works, NT systems are not able to spread the virus to other files on the local system. Operating systems other than Windows 95/98 are not affected by the virus. This includes UNIX, Windows NT, and MacOS; however if one of these operating systems is acting as a file server, and the server has an infected file, Windows 95/98 clients can be infected if they execute the file. If your anti-virus software is up-to-date and you have recently scanned your computer for viruses, you should not have to worry. Keep in mind that other executables that you execute may be infected. This can come from a number of sources: floppy disks, email attachments, internal network servers, and the Internet. Be cautious when running executable files received from others; scan the executable files with your anti-virus software. For more information about the other dangers of running executables from other sources see CERT Advisory CA-99-02 available at
|
April 26, 1999 is the 13th anniversary of the Chernobyl disaster. There are a number of variants of the CIH virus. Some variants will trigger every month on the 26th (CIH.1019) while other variants trigger only on April 26th (CIH.1003, CIH.1010.A) or June 26th (CIH.1010.B). The virus does not look for a specific year.
Yes. We encourage you to notify them. More information about dealing with incidents can be found in our Incident Reporting Guidelines.
http://www.cert.org/tech_tips/incident_reporting.html
The damage can be great. Once the virus is triggered, the first 2048 sectors of each hard drive in the computer are overwritten with random data. This area of the hard drive contains important information about the files on the computer. Without this file information, the computer will think the hard drive is empty.
The virus will also write one byte of data to the BIOS boot block which is critical for booting a computer. Writing to the system BIOS can be prevented by setting a jumper on most motherboards. Contact the computer vendor or motherboard vendor for assistance with their product.
The data might not be recoverable, but a data recovery service might be able to retore some portion of the data.
Yes, since one of the triggers for the CIH virus is the date. If you are trying to do this on April 26th we recommend changing the date through the BIOS prior to the operating system starting. This is only a temporary solution since some variants of the CIH virus trigger every month on the 26th. We recommend properly detecting and removing any viruses you may have with your anti-virus software.
Contact the vendor for assistance with their product.
Some vendors have given us information about updates to their products for the CIH virus. That information is in incident note IN-99-03:
http://www.cert.org/incident_notes/IN-99-03.html
If your vendor is not listed, or you are having difficulty finding the vendor's products or updates, contact the vendor for further assistance.No. As a federally-funded research and development center (FFRDC), by law we are not permitted to endorse products.
The CERT Coordination Center is a technical organization. We concentrate on the technical aspects of computer security problems. We have no legal authority and we do not "catch the bad guys."
For more information about the CIH virus see IN-99-03 available at