Editing CIH (computer virus) (section)

==Virus specifics==
{{unsourced section|date=October 2021}}

CIH spreads under the [[Portable Executable]] file format under the Windows 9x-based operating systems, Windows 95, 98, and ME. CIH does not spread under [[Windows NT]]-based operating systems nor Win16-based operating systems such as [[Windows 3.x]] or below.<ref>{{Cite web |title=Virus:DOS/CIH {{!}} F-Secure Labs |url=https://www.f-secure.com/v-descs/cih.shtml |access-date=2023-11-05 |website=www.f-secure.com |language=en}}</ref>

CIH infects Portable Executable files by splitting the bulk of its code into small slivers inserted into the inter-section gaps commonly seen in PE files and writing a small re-assembly routine and table of its own code segments' locations into unused space in the tail of the PE header. This earned CIH another name, "Spacefiller". The size of the virus is around 1 [[kilobyte]], but due to its novel multiple-cavity infection method, infected files do not grow at all. It uses methods of jumping from processor [[Protection ring|ring]] 3 to 0 to hook system calls.

The payload, which is considered extremely dangerous, first involves the virus overwriting the first [[megabyte]] (1024KB) of the [[Hard disk drive|hard drive]] with zeroes, beginning at [[Disk sector|sector]] 0. This deletes the contents of the [[Master boot record#Sector layout|partition table]], and may cause the machine to [[Hang (computing)|hang]] or cue the [[Blue Screen of Death|blue screen of death]].

The second payload tries to write to the Flash [[BIOS]]. BIOSes that can be successfully written to by the virus have critical boot-time codes replaced with junk. This routine only works on some machines. Much emphasis has been put on machines with motherboards based on the [[Intel]] [[List of Intel chipsets#Pentium chipsets|430TX]] [[chipset]], but by far the most important variable in CIH's success in writing to a machine's BIOS is the type of Flash ROM chip in the machine. Different Flash ROM chips (or chip families) have different write-enable routines specific to those chips. CIH makes no attempt to test for the Flash ROM type in its victim machines and has only one write-enable sequence.

For the first payload, any information that the virus has overwritten with zeros is lost. If the first partition is [[File Allocation Table|FAT32]], and over about one [[gigabyte]], all that will get overwritten is the [[Master boot record|MBR]], the partition table, the [[boot sector]] of the first partition and the first copy of the FAT of the first partition. The MBR and boot sectors can simply be replaced with copies of the standard versions; the partition table can be rebuilt by scanning over the entire drive and the first copy of the FAT can be restored from the second copy. This means a complete recovery with no loss of user data can be performed automatically by a tool like [http://www.grc.com/cih.htm Fix CIH].

If the first partition is not FAT32 or is smaller than 1 GB, the bulk of user data on that partition will still be intact, but without the [[root directory]] and FAT it will be difficult to find it, especially if there is significant fragmentation.

If the second payload executes successfully, the computer will not start at all. Reprogramming or replacement of the Flash BIOS chip is then required, as most systems that CIH can affect predate BIOS restoration features.

===Variants===
{| class="wikitable"
! Moniker
! Description
|-
|CIH v1.2/CIH.1003
|This variant is the most common one and activates on April 26. It contains the string: {{mono|CIH v1.2 TTIT}}
|-
|CIH v1.3/CIH.1010.A and CIH1010.B
|This variant also activates on April 26. It contains the string: {{mono|CIH v1.3 TTIT}}
|-
|CIH v1.4/CIH.1019
|This variant activates on the 26th of any month. It contains the string {{mono|CIH v1.4 TATUNG}}.
|-
|CIH.1049
|This variant activates on August 2 instead of April 26.
|}