ARCHIVED: What is the CIH virus, and how do I remove it?

The CIH virus, also known as Spacefiller or Chernobyl, has the potential to be particularly destructive in that it can make your Windows 95, 98, or Me computer unable to start by corrupting the flash BIOS. Even if CIH is unable to destroy the BIOS, it overwrites the hard disk with garbage, resulting in the loss of data. CIH infects 32-bit Windows 95, 98, and NT executables, but can function only under Windows 95, 98, and Me. CIH does not infect computers running Windows NT, 2000, or XP.

On April 26, 1999 (the anniversary of the Chernobyl nuclear accident), CIH's payload triggered for the first time and caused extensive damage. In Korea it was estimated that as many as one million computers were affected, resulting in more than $250 million in damage. Other trigger dates associated with variants of CIH include the 26th day of any month and May 19.

In case of infection, UITS recommends that you run the KILL_CIH.EXE file, then use the most current virus protection software to remove CIH.

The KILL_CIH.EXE file

To disable the virus and prevent it from spreading, you can obtain the KILL_CIH.EXE file, as well as instructions for using it, from the following Symantec site:

  http://www.symantec.com/avcenter/venc/data/kill_cih.html

Virus protection software

After you run the KILL_CIH.EXE file, you need to remove the virus with an updated virus protection program such as Symantec AntiVirus (SAV). SAV is available to Indiana University affiliates via IUware.

For more information on CIH, see the following web sites:

  http://www.cert.org/incident_notes/IN-99-03.html

  http://www.symantec.com/avcenter/venc/data/cih.html

  http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=3827