Now, perhaps, few people remember, but April 26 is not only the day when there was the Chernobyl tragedy, but also the date when hundreds of thousands of computer users worldwide have lost all the information on their drives, and some motherboards due to the CIH virus. Tell, what happened in 1999, who was the culprit, and how the virus could spread globally.
Who and why created the virus
CIH Virus.Win9x.CIH or Chernobyl is a computer virus that only runs under the operating system Windows 95/98/ME, written Taiwanese (then) student of Chen Yinghao. First discovered “live” in Taiwan in June 1998, where the author of the virus has infected the computers in your University Datong (Tatung).
Chen Yinghao computer
After some time, the virus has spread to local Internet conferences, and has already escaped outside the country. Later outbreak was registered in Austria, Australia, Israel and the UK. And then the virus spread to other countries, including Russia and Belarus.
About a month later the infected files were discovered on several American web servers that distribute the game program, which contributed to a global outbreak.
Write what Chen Yinghao created a virus to punish the vendors of antivirus programs that have proved useless in the fight against viruses on University computers.
Learning that the virus has spread worldwide, he was nervous, but was sure that if there is sufficient stock at the time security experts will be able to calculate it.
He later posted a formal apology in which he publicly asked forgiveness from the citizens of China whose computers were affected.
April 26, 1999
This date probably still remember the owners of the infected at the time of computers. This day worked “logic bomb” embedded in the virus code. According to various estimates, in this day around the world suffered about half a million computers — they were destroyed data on the hard disk, and some plus spoiled the contents of the BIOS chips on motherboards (so they were completely unusable).
This incident was a real computer disaster — a viral epidemic and their consequences have never been greater, and did not bring such damages.
According to various estimates, the damage from the virus ranged from 20 to 80 million dollars. That’s not counting the moral damage — a huge number of people lost their personal data, because 1999 was not yet distributed cloud storage and streaming services.
Apparently because the virus posed a real threat to computers all over the world and the date of its operation coincided with the date of the accident at the Chernobyl nuclear power plant, he received his second, a much more common name — “Chernobyl” (Chernobyl).
The author of the virus is almost certainly not tied to the Chernobyl tragedy with his child and put the date of release “bomb” on 26 April for a completely different reason: on this day in 1998 he released the first version of their virus (which, incidentally, never went beyond Taiwan), i.e. so 26 APR virus celebrates its “birthday”.
That was one of the victims recalled: “after the warning, the entire office had changed the date — that it is not activated… And how I fucked up, forgetting it back then remove… And exactly a month later, the computer is fucked…”
How did the virus
When you run an infected file, the virus has installed its own code in memory Windows intercept file accesses, and when you open run. EXE files and recorded them in your copy. Due to errors in the code, the virus sometimes the “hung” system when you run an infected file. And at the time of onset of a specified date, tried to erase the Flash BIOS, and the drives ‘ contents.
The entry in Flash of the BIOS is possible only on the relevant types of motherboards and permitting installation of the respective switch. This switch is usually set to “read only”, but this is not true for all computer manufacturers.
Unfortunately Flash the BIOS on some modern motherboards can not be protected by a switch: some of them permit writing to Flash at any position of the switch, on the other protection of records in Flash can be canceled programmatically.
After erasing Flash memory the virus is passed to another destructive procedure: destroying information on all installed hard drives. However, he bypassed the built-in BIOS standard anti-virus write protection in the boot sector.
There are three known major (the so-called “author”) version of the virus. They are quite similar to each other and differ only in minor details of the code in the various subprogrammes. Version of virus received different lengths of text strings and date of operation procedure erase disk and Flash the BIOS.
They all have a size of about 1 kilobyte. The first two versions worked 26 April, the third — on the 26th of each month.
What happened next?
The author of the virus is not only released the virus “free”, but and sent them assembler source texts of the virus. This led to the fact that these texts were revised, compiled, and soon there were modifications of the virus, which had different lengths, but in terms of functionality they all correspond to its “parent”.
In some embodiments, the virus changed the date of release “bombs”, or this plot was not used (instant triggering). After all, in order to set “bombs” on any given day, it is enough to change only two bytes in the code of the virus.