CERT® Incident Note IN-99-03The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
We have received a number of information requests about a computer virus named CIH. Anti-virus vendors have given this virus the following names: CIH, Win95.CIH, PE_CIH, Win32.CIH, and W95/CIH.1003. The virus has also been called the Chernobyl virus. Some versions of the CIH virus become active on April 26, 1999 which is the 13th anniversary of the Chernobyl disaster.
In addition to this Incident Note please see the CIH FAQ (Frequently Asked Questions) document.
The CIH virus infects executable files and is spread by executing an infected file. Since many files are executed during normal use of a computer, the CIH virus can infect many files quickly.
There are several variants of the CIH virus. Some activate every month on the 26th, while other variants activate just on April 26th or June 26th. Once the CIH virus activates, the virus attempts to erase the entire hard drive and to overwrite the system BIOS. Some machines may require a new BIOS chip to recover if overwritten by the CIH virus. CIH only affects Win95/98 machines.
More technical details about the CIH virus can be found at the following site.
The following items will help to prevent the CIH virus from deleting your data or writing to the BIOS, but if your computer has already been damaged by the CIH virus the following will not help to recover. If your computer has been damaged by the CIH virus we recommend you contact your computer vendor or motherboard vendor to find out how to recover the system BIOS. The data on the hard drive might not be recoverable, but a data recovery service might be able to retore some portion of the data.
Many motherboards have a "jumper" that will enable or disable the ability to write to the BIOS. To prevent the CIH virus or any other program from writing to your computer BIOS, we recommend that you set the motherboard jumpers so that the BIOS can not be modified. Some motherboards vendors may ship with the jumper set in the writable/programmable mode for the BIOS.
This is a known virus and anti-virus vendors are able to detect the CIH virus. To detect and remove current viruses, you must update your scanning tools and anti-virus software with the latest virus signatures or definitions. To properly clean the CIH virus we recommend booting an infected computer from a clean floppy diskette (one that is not infected) and then run anti-virus software.
Vendor InformationBelow is a list of anti-virus vendors that have futher infomation and tools relating to the CIH virus.
Computer Associates InoculateIT
Current Virus Signature Versions that Detect and Cure the CIH virus are as follows:
Data Fellows F-Secure Anti-Virus
This document is available from: http://www.cert.org/incident_notes/IN-99-03.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1999 Carnegie Mellon University.