|Last Updated: April 26, 1999
1.Have you received any reports of infected machines or damaged machines?
Most of our reports have been information requests for the CIH virus. As of 2:30pm EDT (GMT-0400) April 26th, approximately 10 sites have reported directly to the CERT Coordination Center that they have suffered damage by the CIH virus.
2.What operating system does the CIH virus affect?
CIH is a Portable Executable (PE) infector. The PE files are used by Windows 95, 98, and NT, but due to the way CIH works, NT systems are not able to spread the virus to other files on the
local system. Operating systems other than Windows 95/98 are not affected by the virus. This includes UNIX, Windows NT, and MacOS; however if one of these operating systems is acting
as a file server, and the server has an infected file, Windows 95/98 clients can be infected if they execute the file.
3.How concerned should I be?
If your anti-virus software is up-to-date and you have recently scanned your computer for viruses, you should not have to worry. Keep in mind that other executables that you execute may be infected. This can come from a number of sources: floppy disks, email attachments, internal network servers, and the Internet. Be cautious when running executable files received from others; scan the executable files with your anti-virus software.
4.Do you know the significance of April 26, 1999? Why is the virus called CIH/Chernobyl?
April 26, 1999 is the 13th anniversary of the Chernobyl disaster. There are a number of variants of the CIH virus. Some variants will trigger every month on the 26th (CIH.1019) while other
variants trigger only on April 26th (CIH.1003, CIH.1010.A) or June 26th (CIH.1010.B). The virus does not look for a specific year.
5.If I receive the virus from someone, should I notify them?
Yes. We encourage you to notify them. More information about dealing with incidents can befound in our Incident Reporting Guidelines.
6.How damaging can this virus be?
The damage can be great. Once the virus is triggered, the first 2048 sectors of each hard drive in the computer are overwritten with random data. This area of the hard drive contains important
information about the files on the computer. Without this file information, the computer will think the hard drive is empty.
The virus will also write one byte of data to the BIOS boot block which is critical for booting acomputer. Writing to the system BIOS can be prevented by setting a jumper on most
motherboards. Contact the computer vendor or motherboard vendor for assistance with theirproduct.
7.How do I recover my data if the CIH virus was triggered?
The data might not be recoverable, but a data recovery service might be able to retore some portion of the data.
8.Can I set my computer's date to April 27 or if I don't use the computer on April 26 will I avoid damage?
Yes, since one of the triggers for the CIH virus is the date. If you are trying to do this on April 26th we recommend changing the date through the BIOS prior to the operating system starting.
This is only a temporary solution since some variants of the CIH virus trigger every month on the 26th. We recommend properly detecting and removing any viruses you may have with your
9.I am having problems installing my anti-virus package or an update to the anti-virus package. What should I do?
Contact the vendor for assistance with their product.
10.I am having problems finding a company's anti-virus software to download or updates for a vendor's anti-virus package. What should I do?
Some vendors have given us information about updates to their products for the CIH virus. Click here
If your vendor is not listed, or you are having difficulty finding the vendor's products or updates, contact the vendor for further assistance.
11.Do you endorse a specific anti-virus product?
No. As a federally-funded research and development center (FFRDC), by law we are not permitted to endorse products.
12.Who wrote CIH? Why was CIH written? What crimes has the author committed? Whatis the status of the investigation?
The CERT Coordination Center is a technical organization. We concentrate on the technical aspects of computer security problems. We have no legal authority and we do not "catch the bad guys."