Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Chernobyl | |
Threat Level Damage Distribution |
At a glance
 |
| Common name: | Chernobyl |
| Technical name: | W95/CIH |
| Threat level: | Medium |
| Alias: | CIH, PE/CIH; CIH.C; CIHV; WIN95.CIH; W95/CIH; W95/CIH.1003; W95/CIH-10xx; CHERNOBYL; TSHERNOBYL; SPACEFIL; CIH.1019 |
| Type: | Virus |
| Effects: | It deletes the content of the hard disk, preventing the computer from starting. It deletes boot information from the BIOS. |
| Affected platforms:
| Windows 95 |
| First detected on: | Aug. 6, 1998 |
| Detection updated on: | March 17, 2006 |
| Statistics | No |
Proactive protection: | Yes, using TruPrevent Technologies
|
| Family: | VALENTIN |
Brief Description | |
Chernobyl is a resident virus that activates every April 26. It was given this name because the date coincides with the commemoration of the nuclear disaster that took place in Chernobyl in 1986.
This virus is extremely dangerous, as it deletes the content of the hard disk, preventing Windows NT, Windows 98 or Windows 95 computers from starting up. It also infects files with an EXE extension, but only in Windows 98 and Windows 95 computers.
In computers with an Intel Pentium microprocessor, it deletes the content of the BIOS.
In order to spread it uses several means of transmission, but it does not use a specific method.
|
Visible Symptoms | |
After Chernobyl has infected a computer, various symptoms can be noticed: - When the computer is started up, the following message is displayed:
"DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER"
This message indicates that the computer cannot be started. The reason for this is that Chernobyl has formatted the hard disk. - If the computer is booted from another disk and then the C:/ drive is accessed, the following warning is displayed:
"INVALID DRIVE SPECIFICATION"
This means that the system does not recognize the hard disk because it is completely blank.
|
Tech details
Effects |
On April 26, Chernobyl activates and carries out the following actions: It deletes all information from the hard disk by formatting it. It deletes the content of the BIOS in computers with an Intel Pentium microprocessor (based on 430TX). It infects executable files with an EXEextension used in Windows 98, Windows 95 or Windows NT computers.
|
Infection strategy
The routine followed by Chernobyl in order to carry out its infection is:
It detects when a file with an EXE extension is used. It does this by capturing the IFS (Installable File System)
It infects files with an EXE extension without arousing suspicion because it does not increase the file size. In order to do this, it distributes its infection code in the unused spaces in these files.
- EXE files in PE (Portable Executable) format contain quite a few empty spaces. This is the reason Chernobyl targets them.
Means of transmission
Chernobyl does not use any special means of transmission. It can spread through the means normally used by viruses: e-mail messages, computer networks, FTP file transfers, CD-ROMs, floppy disks, etc.
Further Details
In order to give you further information about Chernobyl, below is a list of interesting facts:
It first appeared in Taiwan, according to the Taipei authorities at the time.
It was created by 24 year old Chen Ing-Halu. The initials of his name CIH are one of the other names by which Chernobyl is known.
The first people to be infected were groups of software pirates dedicated to transferring games files over the Internet. Through these groups, Chernobyl very rapidly proliferated worldwide.
CIH v1.2 TT IT.Chernobyl is also the name of a virus family. This means that there are other viruses, which are similar (variants), but slightly different. Below is a list of the most common ones:
The variant Chernobyl.1010 activates on June 26 and its code contains the following string: CIH v1.3 TT IT.
The variant Chernobyl.1019 activates on the 26 of any month and its code contains the following string: CIH v1.4 TATUNG.
