CIH Spacefiller

This virus is the classic that illustrates the working and danger of a spacefiller virus type.

It was first reported in June 1998 and dubbed Chernobyl by the press. It infects files written in the Portable Executable (Windows 95 executable) format. This format allows blocks of blank space in the executable and this virus exploits that by attempting to install itself into a single block (or multiple blocks if necessary). Only Win95/98 executables are vulnerable to spreading the virus. DOS and Windows 3.1 executables are not the correct format. NT executables can be infected but will no longer work due to their structure.

The virus has some bugs that cause some programs it tries to infect to stop working and the computer to halt.

The original virus was set to trigger on 26 April, the anniversary of the Chernobyl disaster. Variants trigger on 26 June or the 26th of any month.

The beast is nasty in that it allowed to activate it will attempt to overwrite a Flash BIOS (if found) and then goes on to overwrite the hard disk. It's not always effective at overwriting the BIOS since different BIOS types have different routines needed to write to them; but, if it does, the chip has to be replaced or, at a minimum, rewritten with the correct BIOS information. Either is a major problem for most users.

The virus spreads rapidly once run on a system. It was a very "popular" virus in 1998 but major infections have since been wiped out due to major press coverage and AV software updates. Despite that, CIH continues to show up.

You most certainly want to have current AV software and not let this beast onto your system. It continues to be dangerous.