author Evgenia.Sergeevna asked a question in the section Other languages and technologies
Computer viruses. Chernobyl .. see more ... and got the best answer
Answer from De_SAM [guru]
Source: (virus)
Answer from Liprazin[guru]
CIH, or "Chernobyl" (Virus.Win9x.CIH) is a computer virus written by Taiwanese student Chen Ying Hao in June 1998. It is a memory resident virus that runs only under the Windows 95/98 operating system.
On April 26, 1999, on the anniversary of the Chernobyl disaster, the virus intensified and destroyed data on the hard drives of infected computers. On some computers, the contents of the BIOS chips have been corrupted. It was the coincidence of the date of activation of the virus and the date of the Chernobyl accident that gave the virus its second name - "Chernobyl", which is even better known among the people than "CIH".
According to various estimates, the virus affected about half a million personal computers worldwide.
On September 20, 2000, the Taiwanese authorities arrested the creator of the famous computer virus.
In May 2006, a student at one of the technical universities in Voronezh, Sergei Kazachkov, was sentenced to 2 years of probation under Article 273 of the Criminal Code of the Russian Federation for spreading computer viruses on the Internet, including CIH.
Technical details
Also known as "Chernobyl". It is a memory resident virus that runs only under Windows95 / 98 and infects PE files (Portable Executable). It is rather short - about 1Kb. It was discovered "live" in Taiwan in June 1998 - the author of the virus infected computers at the local university, where he (the author of the virus) was studying at the time. After some time, the infected files were (accidentally?) Sent to local Internet conferences, and the virus got out of Taiwan: over the next week, virus outbreaks were reported in Austria, Australia, Israel and the UK. Then the virus was found in several other countries, including Russia.
About a month later, the infected files were found on several US Web servers that distribute gaming software. This fact, apparently, was the reason for the ensuing global viral epidemic. On April 26, 1999 (about a year after the appearance of the virus), the "logic bomb" embedded in its code went off. According to various estimates, on that day around half a million computers were damaged around the world - they had data on their hard disk destroyed, and on some plus the contents of BIOS chips on motherboards were corrupted. This incident has become a real computer disaster - viral epidemics and their consequences have never been so large-scale and did not bring such losses.
Apparently, for the reasons that 1) the virus posed a real threat to computers all over the world and 2) the date when the virus was triggered (April 26) coincides with the date of the accident at the Chernobyl nuclear power plant, the virus got its middle name - Chernobyl.
The author of the virus, most likely, did not in any way connect the Chernobyl tragedy with his virus and set the date of the "bomb" on April 26 for a completely different reason: it was on April 26 in 1998 that he released the first version of his virus (which, by the way, never came out outside Taiwan) - On April 26, the CIH virus celebrates its “birthday” in a similar way.
[edit]
How does the virus work
When an infected file is launched, the virus installs its code into Windows memory, intercepts calls to the files, and writes a copy of itself to them when opening PE EXE files. It contains errors and in some cases hangs the system when launching infected files. Depending on the current date, it erases the Flash BIOS and the contents of the disks.
Writing to Flash BIOS is possible only on the corresponding types of motherboards and when the corresponding switch is enabled. This switch is usually set to read-only, but this is not true for all computer manufacturers. Unfortunately, the Flash BIOS on some modern motherboards cannot be protected by a switch: some of them allow writing to Flash at any position of the switch, while on others, write protection to Flash can be canceled by software.
After successfully erasing Flash memory, the virus proceeds to another destructive procedure.
Answer from Grif[guru]
Answer from Alexander Perepelkin[active]
A good virus is quite powerful. At one time, with his help at school, I ruined the computer due to the fact that they gave me 4 in computer science
Answer from Dmitry Kazankin[guru]
Answer from Pavel Koltsov[guru]
ru.wikipedia. org / wiki / ЧерноР± С ‹Р» СЊ_ (РІРёСЂСѓСЃ)
Answer from Damir[active]
wow, I haven't heard of this, I'll google it and read it here
Answer from Alexey beifus[expert]
The first global CIH virus, also called Chernobyl, celebrated its 10th anniversary. "On April 26, 1999, a global computer
catastrophe: according to various sources, about half a million computers around the world were affected, never before have the consequences of virus outbreaks been so large-scale and not accompanied by such global losses, "recalls Kaspersky Lab virus analyst Evgeny Aseev, RIA Novosti reports.
According to him, then the data on the hard drives were destroyed, and the contents of the BIOS chips were damaged on the motherboards of some machines. "This virus served as a turning point in the perception of computer threats by users. It was the first virus that damaged not only the data on an infected machine, but also disabled some computers entirely. In the event that the BIOS could not be rewritten, the computer could have been thrown into the trash heap, "says Sergei Komarov, head of the anti-virus development and research department at Doctor Web.
The CIH virus got its name from the abbreviated name of its creator - a student at Taiwan University Chen Ing-Hau. Its second name - "Chernobyl" (Chernobyl) appeared due to the fact that the virus was activated on April 26 - the day of the disaster at the Chernobyl nuclear power plant.
"The author of the virus made it so that, penetrating the machine, the virus did not perform any harmful actions. He waited on April 26 of each year (on this very day the nuclear power plant in Chernobyl exploded, so some call this virus" Chernobyl ") and then it worked," says Komarov from Doctor Web.
Evgeny Aseev from Kaspersky Lab reminds that the Chernobyl virus was first detected in Taiwan in June 1998 - the virus author Chen Ying-Hau infected computers at a local university. After some time, CIH got out of Taiwan: Austria, Australia, Israel and the UK were among the first countries to be affected by the epidemic. Later, the malicious code was registered in several other countries, including Russia.
It is believed that the appearance of infected files on several American web servers that distribute gaming programs, and was the cause of the global virus outbreak. The lack of formal complaints from Taiwanese companies allowed Chen to escape punishment in April 1999. Moreover, "Chernobyl" made him famous: thanks to writing a virus, Chen In-Hau got a prestigious job in a large computer company. Chen Ying-Hau was arrested only on September 20, 2000.
The first global virus infecting about 500 thousand computers celebrates its 10th anniversary
The first global CIH virus, also called Chernobyl, celebrates its 10th anniversary.
"On April 26, 1999, a global computer catastrophe occurred: according to various sources, about half a million computers around the world were affected, never before were the consequences of virus outbreaks so widespread and accompanied by such global losses," recalls Eugene Aseev, a virus analyst at Kaspersky Lab.
According to him, then the data on the hard drives were destroyed, and the contents of the BIOS chips were damaged on the motherboards of some machines.
"This virus served as a turning point in the perception of computer threats by users. It was the first virus that damaged not only the data on an infected machine, but also disabled some computers entirely. In the event that the BIOS could not be rewritten, the computer could have been thrown into the trash heap, "says Sergei Komarov, head of the anti-virus development and research department at Doctor Web.
The CIH virus got its name from the abbreviated name of its creator - a student at Taiwan University Chen Ing-Hau. Its second name - "Chernobyl" (Chernobyl) appeared due to the fact that the virus was activated on April 26 - the day of the disaster at the Chernobyl nuclear power plant.
"The author of the virus made it so that, penetrating the machine, the virus did not perform any harmful actions. He waited on April 26 of every year (it was on this day that the nuclear power plant exploded in Chernobyl, which is why some call this virus" Chernobyl ") and then it worked," says Komarov from Doctor Web.
Evgeny Aseev from Kaspersky Lab reminds that the Chernobyl virus was first detected in Taiwan in June 1998 - the virus author Chen Ying-Hau infected computers at a local university. After some time, CIH got out of Taiwan: Austria, Australia, Israel and the UK were among the first countries to be affected by the epidemic. Later, the malicious code was registered in several other countries, including Russia.
It is believed that the appearance of infected files on several American web servers that distribute gaming programs, and was the cause of the global virus outbreak.
The lack of formal complaints from Taiwanese companies allowed Chen to escape punishment in April 1999. Moreover, "Chernobyl" made him famous: thanks to writing a virus, Chen In-Hau got a prestigious job in a large computer company.
TEN YEARS LATER. MODERN THREATS.
According to Sergei Komarov, head of the anti-virus development and research department at Doctor Web, viruses subsequently appeared that were similar to Chernobyl in terms of attachment to a certain date, but they did not cause such harm to computers.
“This is most likely explained by the fact that modern malware does not make sense to disable a computer - it is important for them as a resource, they work on it, hiding their presence and bringing income to cybercriminals,” Komarov believes. the past is the time when computer criminals, like Chen Ying-Hau, created viruses in an effort to assert themselves and become famous.The actions of modern cybercriminal communities cannot be qualified as simple hooliganism: over the past years, virtual fraudsters have honed their skills and pursue the most mundane goal - enrichment. make very serious money in a criminal way, "- confirms Evgeny Aseev from Kaspersky Lab.
According to him, the scheme of action of the Chernobyl virus assumed two scenarios: at best, deleting all information from the computer's memory, at worst, completely disabling it. The picture of modern threats has changed dramatically and is striking in its diversity: "rootkits", social networks, online games, "botnets" are areas and technologies that make up a far from complete list of sources of computer threats. "Cyber fraudsters are acting more and more unpredictably and sophisticated," says Aseev. According to him, today the "production" of malicious programs is on stream, analysts of "Kaspersky Lab" daily detect more than 17 thousand new viruses.
The leaders are "Trojans" that steal personal data of the user and transmit to their "owners" the credit card number of the owner of the infected computer.
To promote new services, advertising and related services, Internet companies are actively using the potential of social networks. Last year, Odnoklassniki and Vkontakte, one of the most "tidbits" for virtual fraudsters, were at the epicenter of numerous attacks.
The online games market is developing at an enormous pace. Having displaced the Trojans that attack users of online payment and banking systems, gaming Trojans have come out on top, employing new technologies, including a file infection mechanism and distribution on removable drives. The same "Trojans" were used to organize "botnets" (a botnet is a network of infected computers).
"The word" botnet ", which a few years ago was found exclusively in the vocabulary of employees of antivirus companies, has recently become known to almost everyone. Today" botnets "are the main source of spam, DDoS attacks, and new viruses," Aseev notes.
To protect themselves from potential threats, experts recommend that users exercise caution and be extremely careful.
"Do not open suspicious links sent by unfamiliar contacts, check the information received from" friends ", do not use simple passwords and do not enter them anywhere except trusted resources, and also regularly install updates to the operating system and antivirus software," advises the virus analyst " Kaspersky Labs "Evgeny Aseev.
"RIA Novosti", 04/27/2009
It is not allowed to use all materials posted in the "Media Monitoring" section of the official website of the Ministry of Communications and Mass Media of the Russian Federation, without specifying their copyright holder specified for each publication
On the 26th of each month, after the destructive code of the virus is triggered, computer motherboards can be thrown into the trash. But only if in these computers infected with the Win95.CIH virus, the write switch to the rewritable programmable ROM (Flash BIOS) was set to write to this ROM. And, as a rule, all computers are supplied and sold with this switch position.
The Win95.CIH virus was written in Taiwan, spread by the author of this brainchild via the Internet, and has now infected most of the countries of Southeast Asia, as well as some European countries (in particular, Sweden was seriously affected).
The Win95.CIH virus is perfectly detected and treated using the Dr. Web version 4.01. Please check all incoming files. Be especially careful about all files received over the Internet.
Description of Win95.CIH virus
It is a very dangerous memory resident virus. It infects files in EXE PE format under Windows 95. When infecting files, the virus does not increase their length, but uses a rather interesting mechanism for infecting files. Each code section of an EXE PE file is aligned by a certain number of bytes, usually unused by the program. The virus writes parts of its code to such areas, sometimes "scattering" them all over the file (or over all code sections). A virus can also write its start procedure (the procedure that first receives control when the program is started) or even all of its code into the header area of the EXE PE file and set the program's entry point to this start procedure. Thus, the entry point of the file may not belong to any code section of the file.
Upon gaining control, the virus allocates a block of memory to itself by calling the PageAllocate function and "assembles itself in parts" into a single whole in this allocated area of memory. Then Win95.CIH intercepts the IFS API and transfers control to the virus carrier program. When opening files with the EXE extension and the PE format, the virus infects them.
On the 26th of every month, the virus destroys the contents of the Flash BIOS by writing random data ("garbage") to it. As a result, after the first restart, the computer stops booting. And, as a rule, even in an industrial environment, it is quite difficult to restore the contents of the Flash BIOS and restore the computer's operability.
Currently, there are 3 modifications of the Win95.CIH virus with lengths of 1003, 1010 and 1019 bytes. These viruses contain texts in their bodies:
Win95.CIH.1003 - CIH v1.2 TTIT
Win95.CIH.1010 - CIH v1.3 TTIT
Win95.CIH.1019 - CIH v1.4 TATUNG
P.S. In my opinion, the proposal to throw away motherboards damaged by the Win95.CIH virus is somewhat premature. Flash BIOS, with special skills, can be reprogrammed even at home. If you still have not acquired such skills, you should contact the sellers or representatives of the manufacturer of your "mother" with a request to replace the Flash BIOS.
Also known as "Chernobyl". It is a memory resident virus that works only under Windows95 / 98 and infects PE files
(Portable Executable). It is rather short - about 1Kb. Was
discovered "live" in Taiwan in June 1998 - the author of the virus infected
computers at the local university where he (the author of the virus) at the time
was trained. After a while, the infected files were (by accident?)
sent out to local Internet conferences, and the virus got out of
Taiwan: Over the next week, virus outbreaks were reported in
Austria, Australia, Israel and the UK. Then the virus was discovered and in
several other countries, including Russia.
After about a month, the infected files were found on several
American Web servers that distribute gaming software. This fact,
apparently, and was the cause of the ensuing global viral epidemic. 26
April 1999 (about a year after the appearance of the virus) worked
"Logic bomb" embedded in its code. According to various estimates, on this day
around the world, about half a million computers were affected - they had
data on the hard disk is destroyed, and on some plus it is corrupted
contents of BIOS chips on motherboards. This incident has become real
computer disaster - viral epidemics and their consequences never before
that were not so large-scale and did not bring such losses.
Apparently, for the reasons that 1) the virus carried a real threat to computers during
worldwide and 2) the date the virus was triggered (April 26) coincides with the date
accident at the Chernobyl nuclear power plant, the virus got its second
name - "Chernobyl" (Chernobyl).
The author of the virus, most likely, did not in any way connect the Chernobyl tragedy with
his virus and set the date of the "bomb" on April 26 at all
another reason: it was on April 26 in 1998 that he released the first version
their virus (which, by the way, never got out of Taiwan) - 26
In April, the CIH virus celebrates its "birthday" in a similar way.
How does the virus work
When an infected file is launched, the virus installs its code into the Windows memory,
intercepts file accesses and writes to
a copy of them. Contains errors and in some cases hangs the system
when running infected files. Depending on the current date, the Flash erases
BIOS and disc contents.
Writing to Flash BIOS is possible only on the corresponding types of motherboards.
boards and with the enabling setting of the corresponding switch. This
the switch is usually set to read-only, but this
is not true for all computer manufacturers. Sorry Flash BIOS
on some modern motherboards cannot be protected
switch: some of them allow writing to Flash at any position
switch, on others Flash write protection can be overridden by software.
After successfully erasing Flash memory, the virus moves to another
destructive procedure: erases information on all installed
hard drives. In this case, the virus uses direct access to data on the disk and
thus bypasses the standard anti-virus protection built into the BIOS against
writes to boot sectors.
There are three main ("author's") versions of the virus. They are similar enough
on each other and differ only in minor details of the code in various
subroutines. Virus versions have different lengths, text lines and dates
triggering the erasing procedure for disks and Flash BIOS:
Length Text Date of triggering Detected "live"
1003 CIH 1.2 TTIT April 26th Yes
1010 CIH 1.3 TTIT April 26 No
1019 CIH 1.4 TATUNG 26 every month Yes - in many countries
Technical details
When infecting files, the virus looks for holes in them (blocks of unused data) and
writes its code in them. The presence of such "holes" is due to the structure
PE files: the position of each section in the file is aligned to a specific
the value specified in the PE header, and in most cases between the end
the previous section and the beginning of the next one have a certain amount of bytes,
which are not used by the program. The virus searches the file for such unused
blocks, writes its code in them and increases by the required value
the size of the modified section. This does not increase the size of the infected files.
If at the end of any section there is a "hole" of sufficient size,
the virus writes its code into it in one block. If there is no such "hole",
the virus splits its code into blocks and writes them to the end of various sections
file. Thus, the virus code in the infected files can be detected
both as a single block of code, and as several unrelated blocks.
The virus also looks for an unused block of data in the PE header. If at the end
there is a "hole" in the header of at least 184 bytes, the virus writes into it
your startup procedure. Then the virus changes the starting address of the file:
writes the address of its startup procedure into it. As a result of this technique
the file structure becomes rather non-standard: the address of the starting
program procedure does not point to any section of the file, but outside
loadable module - in the file header. However, Windows95 does not pay
attention to such "strange" files, loads the file header into memory, then
all sections and transfers control to the address specified in the header - to
the virus startup procedure in the PE header.
After gaining control, the startup procedure of the virus allocates a block of memory
VMM call PageAllocate, copies its code there, then determines the addresses
the rest of the virus code blocks (located at the end of the sections) and appends them
to the code of your startup procedure. Then the virus intercepts the IFS API and
returns control to the host program.
From the point of view of the operating system, this procedure is most interesting in
virus: after the virus has copied its code into a new block of memory and
passed control there, the virus code is executed as Ring0 application, and
the virus is able to intercept the AFS API (this is impossible for programs that
executed in Ring3).
The IFS API interceptor only handles one function - opening files.
If a file with the EXE extension is opened, the virus checks its internal
format and writes its code to the file. After infection, the virus checks
system date and calls the procedure for erasing the Flash BIOS and disk sectors (see above).
When erasing Flash BIOS, the virus uses the corresponding ports
read / write, when erasing disk sectors, the virus calls the VxD function
direct access to disks IOS_SendCommand.
Known variants of the virus
The author of the virus not only released copies of the infected files "to freedom", but also
sent out the source assembly texts of the virus. This led to the fact that these
the texts were corrected, compiled and soon appeared
modifications of the virus that had different lengths, but in terms of functionality they
all corresponded to their "parent". In some variants of the virus,
the date when the "bomb" was triggered was changed, or this section was never called at all.
It is also known about the "original" versions of the virus that are triggered on days
other than 26 [April]. This fact is explained by the fact that checking the date in
the virus code occurs by two constants. Naturally, in order to
set the timer "bomb" for any given day, it is enough to change only
two bytes in the virus code.
Usually, viruses bring software harm to the computer. In one way or another, viruses complicate the work of the computer, monitor or steal some user data. For example, a very unpleasant one that very annoyingly pursues the user in any browser. But all this is programmatic. A damaged, virus-infected software product can either be cured or replaced. Are there viruses that can damage your computer's hardware?
Win95.CIH virus (Chernobyl)
Chernobyl is the name given to the first computer virus, which showed that viruses can damage not only software, but also computer hardware. The Chernobyl virus, written in 1998 by a Taiwanese student, corrupted the BIOS content on some motherboards, which could cause damage to the motherboard itself. And there were such cases. But still, the main course was the destruction of all information from the hard disk of the computer. Well, at least some plus, because the need subsided. All those who had the misfortune of catching this virus have already suffered.
The virus got its first name - Win95.CIH - from its author. By the way, he released three different versions of his virus, which were not very different from each other. True, the latest version was launched on the 26th of every month. And each version had its own number. But the second name - the Chernobyl virus - was given to him by the computer world. Why? Because the virus became active on April 26 and performed all destructive actions on that day. And it was on this day in 1986, unfortunately, that the Chernobyl accident occurred. Although, as the author of the virus says, the launch date of the virus - April 26 of each year - was chosen only because the virus itself celebrated its birthday on that day. He celebrated, however, in his own way.
The danger of the Chernobyl virus
The Chernobyl virus no longer carries any danger, since the working environment for this virus is computers running Windows 95 and 98 operating systems. But this does not mean that there is no danger of being infected with a virus that will disable the computer's hardware. It only says that many around the world are aware of this opportunity and want to repeat the success of the Taiwanese student. And some have already succeeded. But they are unlikely to be able to become more famous than "Chernobyl". Since the first of its kind is easier to remember.
