Information and remedy for the CIH virus

CIH is a virulent and widespread computer virus working under Windows 95 and 98 systems. The Global CIH Information Center contains a wealth of information on the virus and shows how to protect yourself.

Contents

Background information

The CIH virus was first located in Taiwan in early June 1998. After that, it has been confirmed to be in the wild worldwide. It has been among the ten most common viruses for several months. CIH has been spreading very quickly as it has been distributed through pirated software.

The most common version of the virus, CIH 1.2, activates on the 26th of April. At this time, it can overwrite the hard disk and the flash BIOS of an infected computer -- causing complete loss of data, and possibly rendering the computer unusable. Data Fellows is advising all computer users to check their systems with an anti-virus program and back up their data.

CIH does not pose a risk to users of DOS, Windows 3.x, Windows NT or Macintosh users. It only replicates and activates under Windows 95 and Windows 98.

Virus Description Database Entries

  • The Data Fellows contains a searchable database of descriptions of thousands of viruses.
     

Timeline of the CIH virus

A Year of Terror:

June 2nd, 1998 First reports of the CIH virus from Taiwan
June 6th, 1998 First samples arrive to Data Fellows anti-virus labs
June 6th, 1998 Detection of CIH 1.2 added to F-Secure Anti-Virus
June 12th, 1998 CIH 1.3 found and added to FSAV
June 26th, 1998 CIH 1.3 activates with minor damages
June 30th, 1998 CIH 1.4 found and added to FSAV
July, 1998 An infected pirated version of Windows 98 found in internet circulation
August, 1998 Infected demo of Wing Commander game available on Origin Systems website
August, 1998 Two European PC gaming magazines ship cover CD-ROMs infected with CIH
August 26th, 1998 CIH 1.4 activates, first widespread media coverage
September, 1998 Yamaha ships an infected version of their software for CD-R drives
October, 1998 A widely distributed demo version of the Activision game SiN was found to be infected
March, 1999 CIH 1.2 was shipped on IBM Aptiva Computers
April 26th, 1999 CIH 1.2 activates for the first time

Detect and remove CIH

To check if you're currently infected with the CIH virus, download the CIH tester here {50Kbytes file, 20 seconds }. This is a small program which simply checks if CIH is currently active in your system.

  • If you're using Windows NT Workstation, Windows NT Server or Windows 3.1, remember, CIH does not spread under these operating systems, but you might still want to check your files if you share them with 95/98 users.

  • If you do choose to download the CIH Tester please follow these instructions.

    1. Save it to a floppy disk;
    2. Change it's file name from <cih.ex> to <cih.exe>     ( do this in dos if you find it difficult in windows )
    3. Then run the programme by double clicking on it in windows or typing <cih> in dos.

    That's it, it will tell you if you have the virus or not. Take it from there ....