CIH (computer virus)

The creator of the virus wrote several different versions of CIH beginning on April 26, 1998, identifying each of them with text strings that included "CIH" and a version number.^[1] The antivirus company Sophos obtained its first sample of the virus in June 1998 from an infected file it received from a customer in Taiwan.^[2][3] It identified CIH as a previously unknown Portable Executable (PE) file-infecting virus.^[3] Researchers initially took interest in the new virus because of its unusual method of concealing itself within an infected file. At first, they thought that its payload was a destructive but otherwise unremarkable process that overwrote a critical section of the computer's hard drive with garbage data, corrupting the data stored there, but days before the June 26 trigger date used by two of the variants, they discovered an additional code section designed to damage the computer's BIOS.^[3] By August, most major antivirus companies had received at least one variant of the virus from their customers, and several had confirmed the existence of multiple variants.^[4]

CIH is a hardware-damaging computer virus that infects Portable Executable (PE) files on Windows 95, Windows 98, and Windows ME computers.^[3] The source code was later released to the public by the author.^[5]

PE files are the standard file format used by Windows for programs and related components. They contain all of the compiled code and data needed to load and run an application.^[6] A PE file is divided into a number of sections, or objects, each of which must start at an address aligned to a multiple of a fixed number of bytes, from 512 bytes to several kilobytes. When the end of one section does not exactly reach the start of the next aligned address, the remaining bytes are filled with null characters to create "slack" space, which is essentially unused or wasted space. PE files commonly have five or six objects, each with some slack space at the end.^[3]

The CIH virus takes advantage of the wasted space between objects in a PE file to store its code, allowing it to infect the file without increasing its size. This technique of storage in slack space, called cavity infection, had been seen before; the MS-DOS Lehigh virus, written in 1987, used a method similar to this.^[3] By leaving the size of infected files unchanged, the virus is able to conceal the fact that the file has been modified.

Computers have signals that programs can use to notify the processor of an event that requires immediate processing, called interrupts or traps. The operating system maintains a list, called the interrupt descriptor table (IDT), of what programs should execute, called interrupt handlers, when it receives one of these signals. When the processor receives an interrupt, it temporarily stops what it is doing and runs the program listed in the IDT as the interrupt handler for that event.^[7]

When a CIH-infected program is run, the virus first makes a change to the IDT so that when a certain interrupt is received, the system stops what it is doing and runs the virus's code. The infected portion of the application then immediately triggers the newly-hooked interrupt. Since the virus was designated as the interrupt handler, the operating system relaunches the virus at a higher privilege level than a user application, giving it kernel-level access to otherwise restricted system memory and processor signals.^[3]

The virus uses its kernel-level access to check the value stored in debug register 0. If the value is non-zero, CIH assumes that it is already resident in memory and returns control to the original program without doing anything. The use of debug register 0 appears to be designed to make analysis of the virus difficult, since many debugging programs use debug registers 0 and 1 during analysis.

Once the virus determines that it is not already resident in memory, it takes the steps to become memory-resident. It places a non-zero value in debug register 0, then it allocates memory in the area used by Virtual Device Driver code and uses that space to reconstruct its executable code from the fragments that are stored in the infected file. After reassembling itself in memory, the virus triggers the interrupt handler again, and uses its kernel-level privileges to install a file system hook, which causes its memory-resident code to be run every time the operating system opens, saves, or executes a file.^[3]

After receiving a call from the file system hook, the virus examines the file that was being opened to determine whether it is a Windows PE file that has not already been infected. When it finds a potential target, it analyzes the PE header and section table to calculate how much of its code can be inserted into the unused padding space between each aligned section. If there is enough space in the file, the virus writes portions of its code into the slack space of each section and modifies the PE header so the virus will execute when the program runs. In the relatively rare case that the virus encounters a file that does not have enough slack space between the objects to fit its code, it will leave that file uninfected, but will still tag it as infected so it will not analyze the same file later. After the alteration is complete, the virus returns control to the operating system and the file operation proceeds normally.^[3]

During normal operations, a computer executes many programs, so the virus can quickly infect many files on the computer.^[8] The simple act of opening a clean file would cause it to become infected as long as the computer had write access to it, even if the computer was accessing it from another system over a network.^[4]

This infection method allows CIH to function on operating systems in the Windows 9x family.^[8] However, the stronger protection mechanisms in Windows NT, Windows 2000, Windows XP, and newer operating systems prevent user applications from modifying protected kernel resources, including the Interrupt Descriptor Table. Because CIH relies on this modification to initially gain kernel-level access, it is unable to install its memory-resident component or intercept file operations on these systems.^[9]

Depending on the variant, CIH has annual trigger dates of April 26 or June 26, or monthly trigger dates on the 26th day of each month. If any infected file is executed on a computer on the trigger date while the virus is already in memory, the virus activates its payload.^[3]

When the virus was first discovered in June 1998, researchers believed that CIH had originated in Taiwan, because it was becoming widely distributed there.^[3] A Taiwanese semiconductor manufacturer was an early victim, finding the virus on 400 of its 1,000 computers. It was able to successfully disinfect most of them before suffering major damage.^[12]

By August, infections had been confirmed in the United States, Great Britain, France, Germany, Norway, Russia, Chile, Australia, and Korea.^[3] The virus was rapidly spreading worldwide through the distribution of accidentally infected pirated software, particularly in Asia, where the buying and selling of pirated software was common and the use of antivirus software was relatively uncommon.^[13]

The virus was also accidentally being distributed through infected files released from several commercial organizations. Wireplay, a popular UK-based dial-up gaming service affiliated with British Telecom, distributed a CIH-infected update to its client software for more than 27 hours in July 1998.^[14] That same month, MPlayer.com, the third largest Internet gaming service with about 800,000 users, briefly hosted infected software updates on its website.^[15] Also in July, an anonymous Internet entertainment company reported that it had discovered a CIH infection in automatic software updates that it was about to release that could have rapidly infected tens of thousands of its customers.^[12]

Computer peripheral maker Yamaha posted an infected firmware upgrade for one of its CD-R drives on its servers, infecting an unknown number of customers.^[16] In April 1999, computer manufacturer IBM discovered that several thousand of its Aptiva computers sold between March 5 and March 17 had been shipped with active CIH infections.^[17]

Software company Origin Systems distributed a free copy of the game Wing Commander: Secret Ops with an installer infected with CIH from one of its two download servers for a short time.^[18][19] Some gamers who downloaded a demonstration version of Activision's SiN that was released on one of the virus's trigger dates in July 1998 reported that their hard drives were erased by the virus after they installed the demo, although Activision denied responsibility for the infections.^[16][19] A toolkit intended to resolve Y2K issues, distributed by a UK developer, was also found to be infected after seventy copies had already been provided to customers.^[20]

CIH-infected Compact discs (CDs) distributed with computer magazines also infected an unknown number of users.^[21] The September 1998 issues of the UK's Ultimate PC Gaming magazine and Hungary's PC Guru magazine contained between 20 and 23 infected programs on their cover CDs. The Ultimate PC Gaming issue was withdrawn from sale and recalled from stores, while the publishers of PC Guru inserted a note into the magazine describing the virus as essentially harmless and advising the readers to disinfect their systems after installing any of the software on the CD.^[20]

The March 1999 issue of ArabChip magazine and the February 1999 issue of Middle-East Windows Users Magazine also included software infected with CIH on their cover CDs.^[22] CDs containing the release of Back Orifice 2000 distributed at DEFCON 7 were later found to be infected with the virus. A member of the Cult of the Dead Cow, the group that developed the software, released a statement saying, "Somehow we must have accidentally infected our own Defcon CD's with CIH v1.2 TTIT(Chernobyl). It was not our plan to do this, and frankly it makes us look like idiots."^[23]

After the potential damage caused by the virus became known, media reports began sounding the alarm in July 1998. Although one of the trigger dates of the 1.4 variant was July 26, the day passed without major damage in the United States. A representative of IBM's Thomas J. Watson Research Center commented that, "the virus just died. People just don't share executables."^[24] Some commentators questioned whether the virus really posed much of a risk to most PC users.^[25]

The July trigger date fell on a Sunday, when many computers were not in use. However, the next trigger date, August 26, fell on a Wednesday, and the impact was greater than it had been the previous month. Reports came in that about 750 Windows computers in the United States were affected.^[11]

As April 26, 1999, approached, newspapers, television, and radio programs in the United States and Western Europe again warned about the potential impact of the CIH virus.^[5] The date was a trigger for both the 1.4 variant and the much more widely distributed 1.2 variant.^[26]

Some analysts remained skeptical about the level of risk posed by the virus, which was often referred to in the media as the "Chernobyl virus" because its April 26 trigger date coincided with the anniversary of the 1986 Chernobyl nuclear disaster. The previous month had already seen widespread disruption from the Melissa virus, a rapidly spreading macro virus that caused heavy network traffic and slowed down computer systems worldwide.^[27] A columnist in the New York Times argued that the frequent virus threats were being exaggerated by antivirus companies in order to sell more antivirus software.^[26] Steve Trilling, director of research at the Symantec Antivirus Research Center, noted that viruses tend to be the most dangerous during the first six months after their release, and that CIH had already been circulating for about eight months, suggesting that its impact might be limited.^[28]

The April 26, 1999, trigger date of the CIH virus proved to be far more destructive than many analysts had expected.^[29] Hundreds of thousands of computers were reported to have been affected by the virus, with damage estimates exceeding $250 million.^[13]

In South Korea, 240,000 computers were reported to be affected across about 1,000 companies, 300 universities, and 200 public and government organizations.^[13] The country's five largest PC communication services helped spread the infection, causing tens of thousands of customers who downloaded software from them to become infected.^[21] Government officials estimated that roughly four percent of the nation's computers were affected, making it the worst computer virus outbreak the country had experienced.^[30]

In China, state media reported that more than 100,000 computers had been affected, with five percent of those suffering serious damage.^[31] In India, at least 10,000 businesses were affected, and The Indian Express reported that millions of dollars worth of data had been lost.^[29][30] Another 10,000 computers were reportedly affected in Bangladesh, where officials described the outbreak as "the country's worst computer disaster."^[30]

In Saudi Arabia and other Persian Gulf states, damages totaling millions of dollars were reported, and as many as 70,000 computers were affected.^[32] The Gulf News Daily reported that up to ten percent of computer users in the United Arab Emirates had been impacted.^[30] In Syria, the country's largest computer exhibition, Sham '99, held between April 25 and April 28, was disrupted when many exhibitors were forced to close their booths on the second day due to virus damage.^[22]

Turkey reported that about 300,000 computers were damaged, including systems at an airport, at banks, and at state-run radio and television stations. The newspaper Radikal commented that "the warnings were there, but nobody took any notice of them."^[29][30] In one unnamed former Soviet country, half of the nation's banks were reportedly unable to process transactions after the virus crippled systems.^[5]

In the United States, the New York Times reported that fewer than 10,000 of the country's 50 million computers were affected.^[33] The Computer Emergency Response Team (CERT) at Carnegie Mellon University reported confirmed damage to at least 2,328 computers, although officials noted that the true number was likely higher because organizations and individuals were not required to report virus incidents.^[29] Technical support staff at Symantec Security reported being contacted by more than 500 individuals affected by the virus who had not been using antivirus software.^[34]

Some analysts concluded that the United States and Western Europe were less severely affected than other places because the April trigger date occurred soon after the Melissa virus outbreak which had heightened awareness of computer virus threats.^[5] In response to Melissa, many companies had already purchased antivirus software or updated their virus definitions.^[34] Large numbers of users who downloaded antivirus tools to check for Melissa instead discovered and removed CIH infections, disinfecting thousands of computers before the trigger date.^[35]

The first line of defense against CIH was a regularly updated antivirus program.^[3] The president of the company that produced AntiViral ToolKit Pro (AVP) stated that their product was the first to be able to detect and remove the virus, but by the summer of 1998, all of the major commercial antivirus utilities were able to detect CIH.^[25][28] Any users who scanned their computers with software that had been updated after that time would have been able to identify and remove infections.^[28] Antivirus programs detected CIH by recognizing a certain hexadecimal byte pattern in infected files that was common to all of the known variants.^[36] Infected files that were stored inside installers or compressed archives such as ZIP files were sometimes more difficult for the scanner to detect.^[14]

Another method of protecting against the virus's destructive payload was to remove the motherboard jumper that allowed the BIOS to be rewritten. Although this prevented the virus from overwriting the BIOS firmware, it did not protect the computer's hard drive data. Some motherboard manufacturers, however, had eliminated the jumper and had permanently enabled BIOS write access in order to reduce manufacturing costs.^[3] To address this risk of accidental BIOS corruption, some manufacturers began implementing recovery mechanisms, where a small portion of the firmware was stored in non-flashable ROM so that the system could be recovered in the event of corruption.^[4]

Removing the virus initially required restarting the computer from a clean boot disk, preventing the virus from loading into memory and infecting files as they were scanned. Later, antivirus vendors released small utility programs that could safely remove the virus from memory, allowing infected systems to be scanned and cleaned without restarting the computer.^[34] Dedicated removal tools were made freely available by Sophos, Norton, Network Associates, and other vendors.^[28]

Four closely related versions of the virus were originally detected in the wild, differing only in minor details.^[36]

CIH 1.2, also known as CIH.1003, has a trigger date of April 26, one year after the creation of the original virus. In the media it became widely known as the "Chernobyl virus" because April 26 is the anniversary of the 1986 Chernobyl nuclear disaster.^[8] This variant was the most widely distributed and was responsible for much of the damage caused on April 26, 1999.^[26]

Two variants of CIH 1.3, also known as CIH.1010A and CIH.1010B, were identified. Both have a trigger date of June 26, and contain the internal text string "CIH v1.3 TTIT".^[37]

CIH 1.4, also known as CIH.1019, has a trigger date on the 26th of every month, and contains the text string "CIH v1.4 TATUNG".^[11][37]

In May 2002, a variant of the widespread Klez.h computer worm was discovered that was also spreading a new strain of CIH known as CIH.1049, which has a trigger date of August 2. This variant was not widely distributed.^[38] The source code to the virus had been released to the public by this time, so the author of this and later variants is not known.^[5]

A modified fifth variant, CIH.1106, was discovered in December 2002, but it was also not widely spread.^[37]

Law enforcement authorities in Taiwan identified the coder of the virus as a 24-year-old man named Chen Ing-hau.^[34] When he wrote the virus, he was a computer engineering student at the Tatung Institute of Technology.^[39] He told investigators that although he had shared the virus with other students at the school, he had warned them not to distribute it further. The virus caused damage to several computers at the college, but Chen was not expelled. The college instead issued him a demerit for creating the virus without also developing a method of detection and removal.^[33]

After the widespread damage caused by the virus on April 26, 1999, Chen was questioned by investigators.^[40] By that time, he had graduated and was serving Taiwan's two-year mandatory military service.^[33] He told investigators that his goal when he wrote the virus had been to develop something that would embarrass antivirus software companies, which he called incompetent. He said that in the past, he had suffered from a virus attack that had caused him to lose data despite his having antivirus protection, and he believed that many of the programs were ineffective.^[39]

Chen told investigators that he hadn't expected the virus to cause such widespread damage. He said he regretted writing the program and he publicly apologized to its victims.^[39] Former classmates and instructors told investigators that Chen had boasted about creating the virus and had warned his friends not to download it to their computers. His classmates also noted that the virus name was based on his initials that had appeared within the program, CIH.^[40]

Under Taiwanese law, intentionally causing damage to a computer could carry a sentence of up to three years in prison.^[40] However, the law required a victim to file a formal complaint about the damage. When none of the victims of the virus filed a complaint against Chen, he was released without being charged.^[41]

Authorities detained Chen again in September 2000 after a student in Taiwan filed a complaint when the virus struck his computer in April of that year.^[42][41] Due to limitations in Taiwan's cybersecurity laws at the time, however, Chen was never tried or convicted of any crime.^[43]

In the aftermath of the damage caused by CIH, some computer users became extremely wary about computer viruses, and vulnerable to virus hoaxes. A hoax that spread around Syria warned about a devastating virus that was set to strike on June 1, 1999, but nothing happened. Media reports added to the hype, with official government newspapers warning about the "AIDS II virus sent via the Internet" despite the fact that the AIDS II virus was an old MS-DOS virus from 1989. The reports included fantastic claims like that it was spreading worldwide through email and could destroy memory chips, disk drives, expansion cards, and even speakers.^[22]

On the other hand, the CIH infection did have some benefits, as it raised awareness that motivated companies to prioritize high-quality backup procedures for their critical data, and to deploy antivirus software and antivirus policies to protect their employees and resources.^[22]

The worldwide transition from the Windows 9x family of operating systems to Windows XP, released in 2001, significantly reduced the effectiveness of many computer viruses by introducing stronger security protections and a more robust system architecture. Windows 9x systems were designed with an emphasis on compatibility with older MS-DOS and Windows 3.1 applications, which allowed ordinary user applications to have broad access to system resources, sometimes allowing them to modify low-level operating system structures.^[44][45] However, Windows XP was based on the Windows NT architecture, which enforced a stricter separation between user applications and the operating system kernel, preventing user applications from directly altering critical system components. This design change reduced the ease with which malicious software could install memory-resident components, intercept system operations, and gain unrestricted access to hardware, and prevented older viruses from functioning.^[45]

Before CIH, the potential dangers of allowing software to write to flash BIOS chips had been discussed, but the vulnerability had never been successfully exploited to cause damage.^[3] CIH was the first time that a virus had been able to demonstrate the ability to destroy the BIOS on a computer.^[46] At the time, firmware updates were not cryptographically verified, so any programmer who knew how to access the programming interface of the Flash BIOS could write whatever they wanted. Write access to the BIOS chip was often restricted through undocumented command sequences that unlocked the ability to write to the chip. However, once a programmer discovered the required sequence through manufacturer documentation, that knowledge could easily be shared with others.^[43] In 2009, the National Institute of Standards and Technology (NIST) released a draft of Special Publication 800-147, which established guidelines for cryptographically signed BIOS updates designed to prevent unauthorized modification of firmware.^[47]