chernobyl virus

W32.CIH.Spacefiller (a.k.a chernobyl)

• Chernobyl is a deadly virus. Unlike the other viruses that have surfaced recently, this one is much more than a nuisance.

• If infected, Chernobyl will erase data on your hard drive, and may even keep your machine from booting up at all.

• There are several variants in the wild. each variant activates on a different date. Version 1.2 on April 26th, 1.3 on June 26th, and 1.4 on the 26th of every month.

We begin our discussion on viruses with the Chernobyl virus, as it became infamously known as its payload was first triggered April 26, 1999 - which was the 13th anniversary of the disaster at the Chernobyl nuclear reactor. Speculations abound regarding if Chernobyl was the activation date or whether it was activated a year since it was released in the wild.

Threat

The payload was a devastating one that destroyed all computer data by erasing the FAT file when the infected file was executed. The virus has another distinction as being the first virus known to damage computer hardware, as the active strain flashes the system BIOS as well. The virus infects several files as they are run during the course of normal operations, making it easily transmittable across the network.

The virus was detected in the wild almost a year before it caused a catastrophe. Although U.S. and European computer users were affected, most of Chernobyl's damage was produced in Asia and the Middle East. The virus is a variant of a virus known as CIH (named after its author Chen Inghua) and is also known as a space filler virus due to its ability to stealthily take up file space on computers and prevent anti-virus software from running.

This is a Windows95/98 specific parasitic virus infecting Windows PE files (Portable Executable), and about 1Kbyte of length. The virus targets users of Windows 95 and Windows 98 as it is under these operating systems that the virus replicates and becomes active. Users of Windows NT, Windows 2000 or Macintosh are not considered to be at risk. The variants of the virus differ in the activation dates or pattern.

How the virus works

The virus installs itself into the Windows memory and hooks file access calls which infect EXE files that are opened at that time. Depending on the system date the virus runs its trigger routine. The virus has bugs and in some cases halts the computer when an infected application is run.

The virus' trigger routine operates with Flash BIOS ports and tries to overwrite Flash memory with "garbage". This is possible only if the motherboard and chipset are write-enabled, allowing the virus to write to flash memory. Usually writing to flash memory can be disabled by a DIP switch; however this depends on the motherboard design. Unfortunately, there are modern motherboards that cannot be protected by a DIP switch. Some other motherboard designs provide write protection that can be disabled / overridden by software.

The trigger routine then overwrites data on all installed hard drives. The virus uses direct disk write calls to achieve this and bypasses standard BIOS virus protection while overwriting the MBR and boot sectors.

There are three "original" virus versions known, which are very closely related and only differ in few parts of their code. They have different lengths, texts inside the virus code and trigger date.

Other known virus versions

The original virus author released to the wild not only virus code in affected EXE files, but virus source (assembler) code as well. These source code were patched, recompiled, and new virus version were found because of that. Most of these versions are buggy and not able to replicate, but others do that. All of them are very close to original viruses, but there are few differences. The main difference is that the "bomb" date was changed, and new variants of the virus either erase data and Flash BIOS on other days, or this routine is never called.

There are also "original" versions of the virus patched so that they have other "bomb" days. The basic of this fact is very silly: the virus checks the trigger date by comparing current day and month number with two constants (two bytes). By patching these constants it is possible to select any day the virus will destroy the computers.