27 years ago today, on April 26, 1999, a 1 KB virus called CIH detonated its payload on hundreds of thousands of Windows 9x machines worldwide, zeroing out hard drives and flashing junk data to motherboard BIOS chips.
The virus, written by Taiwanese university student Chen Ing-hau at Tatung University in 1998, is believed to have infected around 60 million computers and caused an estimated $40 million in commercial damage, earning the nickname “Chernobyl” because its April 26 trigger date happened to coincide with the anniversary of the 1986 nuclear disaster.
Chernobyl was also known as a space filler virus for the way it concealed itself inside executables. Instead of appending code to the end of a file and inflating its size, CIH scanned Windows Portable Executable files for unused gaps between code sections and split its payload across those spaces. Infected files remained the same size, which defeated the file-size checks that many antivirus tools of the era relied on. At roughly 1 KB, the virus was compact enough to distribute itself across a handful of tiny cavities in a single EXE.
Article continues below
Once running, CIH used an exploit to escalate from processor ring 3 to ring 0, giving it kernel-level access to hook file system calls and silently infect every executable a user opened. It worked only on Windows 95, 98, and ME; Windows NT was immune.
CIH spread globally through pirated software channels in the summer of 1998, but several infections came from legit commercial sources like IBM’s Aptiva PCs, a batch of which shipped with CIH pre-installed in March 1999, one month before the trigger date. Yamaha also distributed an infected firmware update for its CD-R400 drives, and copies of the tool Back Orifice 2000 handed out at DEF CON 7 in July of the same year also carried the virus.
When CIH activated, its dual payload first overwrote the initial megabyte of the boot drive with zeros, destroying the partition table and rendering the disk’s contents inaccessible. It then attempted to flash garbage data to the motherboard’s BIOS chip, which, if successful, left the machine unable to power on at all without a chip replacement. The BIOS attack worked primarily on systems using certain Intel 430TX-based chipsets with unprotected flash memory.
Despite the scale of the damage, Taiwanese prosecutors couldn’t charge Chen because no victims came forward with a lawsuit, as required under local law at the time, and Chen had claimed he wrote CIH to challenge antivirus vendors who he felt overstated their products’ detection capabilities. The incident prompted Taiwan to pass new computer crime legislation.
