Hello everyone, it’s Thursday, April 26th, 2012, at 12:30 a.m. Now on this date, fourteen years ago, the “CIH” virus first displayed its devastating payload, in which it rendered many computers un-bootable due to it overwriting the BIOS, the basic input/output system. Now hopefully, we will be able to see that effect here today on this standalone computer, and hopefully it will destroy it like it has many thousands of other PCs. Now the virus is also known as “Space Filler”, as unlike normal executable-infecting viruses, which will write their code to the end. “CIH” will look for gaps in the program to which it writes its code. This is handy, as it helps the virus avoid detection, as it does not increase the file size of programs that it infects. Now we will go ahead and run it; the system date is currently set to April 25th, so we won’t get the payload immediately. So you see, it pretended to be some other file, some other file that it had already infected, but now “CIH” is present and will infect any executables run on the computer. So we’ll just run a few of these, and “CIH” will infect them, and every time you run these files, “CIH” will launch as well, instead of the program
you’re running. Alright, I think we’re ready to go here. We will switch the date to the 26th, and see if we can get it to activate. Now, normally I have to re-record videos a bunch of times, but with “CIH” and its devastating payload you only get one shot at this, so let’s hope it works. Here we go… and the computer should blue-screen; yes it has. “…in VxD, this was called from ‘blah blah blah…’ It may be possible to continue normally.” Let’s try it. We have a taskbar, and no desktop. You can press buttons – and now it’s frozen. So what it’s done is if this motherboard was compatible with it, it should have overwritten the BIOS and also overwritten – I think the partition table on the hard drive. So it doesn’t destroy any data, it just makes it inaccessible through normal means. You can still use tools to recover your data. So, let’s try rebooting! We’ll see how this goes. Just give me a moment here. We’ll hit the reset switch… and this computer should not boot anymore. We are not even getting any output to the screen. We’ll try turning off… …and turning it back on. Let’s see what happens. We are not getting anything. The hard drive light is on, and no output is being sent to the screen. I think “CIH” has done what it’s supposed to do. Let’s see here, I have a MS-DOS boot disk. We will see, if we can boot from the floppy, but we’re not even getting any BIOS messages on the screen, so I think this computer is toast. Alright, we have the MS-DOS disk in the drive… …and nothing. I’ve never seen this payload on a real machine before; it is quite amazing to see it actually do what it’s intended to do – which is completely destroy a computer. I mean, back in the 90s, you didn’t have re-flashable BIOSes, you basically had to send your motherboard back to the manufacturer. Now they could probably re-flash it, but that would cost you an arm and a leg and you’d probably just end up getting a new motherboard. So, “CIH” wasn’t very widespread, uh, since it was just the file infector; it didn’t have any email-spreading routines or anything
like that. But, as you can see, this computer is completely trashed, and will not boot at all. So, yeah, that’s really about it for the “CIH” virus. Thanks for watching, and it’s good to have a nice definitive video of it doing it’s devastating payload. Thanks for watching.

Virus.Win9x.CIH/Chernobyl Destroying a Physical Computer
Tagged on:                                                                                                                                                                                                                                 

Leave a Reply

Your email address will not be published. Required fields are marked *