ARCHIVED: What is the CIH virus, and how do I remove it?
The CIH virus, also known as Spacefiller or Chernobyl, has the potential to be particularly destructive in that it can make your Windows 95, 98, or Me computer unable to start by corrupting the flash BIOS. Even if CIH is unable to destroy the BIOS, it overwrites the hard disk with garbage, resulting in the loss of data. CIH infects 32-bit Windows 95, 98, and NT executables, but can function only under Windows 95, 98, and Me. CIH does not infect computers running Windows NT, 2000, or XP.
On April 26, 1999 (the anniversary of the Chernobyl nuclear accident), CIH's payload triggered for the first time and caused extensive damage. In Korea it was estimated that as many as one million computers were affected, resulting in more than $250 million in damage. Other trigger dates associated with variants of CIH include the 26th day of any month and May 19.
In case of infection, UITS recommends that you run the
KILL_CIH.EXE
file, then use the most current virus protection software
to remove CIH.
The KILL_CIH.EXE
file
To disable the virus and prevent it from spreading, you can obtain the
KILL_CIH.EXE
file, as well as instructions for using it, from the following Symantec site:
http://www.symantec.com/avcenter/venc/data/kill_cih.html
Virus protection software
After you run the KILL_CIH.EXE
file, you need to remove
the virus with an updated virus protection program such as
Symantec AntiVirus (SAV). SAV is available to Indiana
University affiliates via IUware.
For more information on CIH, see the following web sites:
http://www.cert.org/incident_notes/IN-99-03.html http://www.symantec.com/avcenter/venc/data/cih.html http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=3827
This is document agzx in the Knowledge Base.
Last modified on 2018-01-18 12:26:02.