W95.CIH

W95.CIH, also commonly referred to as Chernobyl, is a destructive parasitic virus. It remains memory resident and infects other exe files when they are opened.

Due to decreased submissions, Symantec Security Response has downgraded this threat level to 2 from 3 as of March 30, 2004.

The CIH virus, also known as Chernobyl, was first discovered in June 1998 in Taiwan. According to the Taipei authorities, Chen Ing-hau wrote the CIH virus. The name of the virus derived from his initials.

CIH is a destructive virus with a payload that destroys data. On April 26, 1999, the payload triggered for the first time, causing many computer users to lose their data. In Korea, it was estimated that as many as one million computers were affected, resulting in more than $250 million in damages.

Although the virus is rather old, Symantec still believes the virus is in the wild and may cause damage to computer users who use outdated virus definitions, or who do not use antivirus software.

Antivirus Protection Dates

• Initial Rapid Release version June 28, 1998
• Latest Rapid Release version August 20, 2008 revision 017
• Initial Daily Certified version June 28, 1998
• Latest Daily Certified version January 20, 2009 revision 048
• Initial Weekly Certified release date June 28, 1998

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 1000+
• Number of Sites: 10+
• Geographical Distribution: Medium
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: High
• Payload Trigger: W95.CIH V1.2 and V1.3 (April 26), W95.CIH V1.4 (26th of any month)
• Payload: Destroys data and causes possible damage to CMOS

Distribution

• Distribution Level: Medium