The destructive effects of CIH virus, but not all is gone!

Discussion in 'Processors, Motherboards & Memory' started by The_YongGrand, Nov 25, 2014.

  1. The_YongGrand

    The_YongGrand Just Started

    We all know that virus, it was very infamous of that time in 1999. Wrecked thousands of computers too. The "wrecked" part is because it overwrites a part of the BIOS in the system (with some unrelated content) and renders the system unbootable.

    Here is the page explaining about the dangers of that virus: CIH virus facts

    Not only it writes to BIOS unneccessarily, but it busts the boot sector as well!

    Come to think about that, the author of the virus might have known some registers which allows reprogramming of the BIOS chip. I have suspected he must have some access to a chipset datasheet during that time.

    From what I've read, if the virus has overwritten some parts of the BIOS, some of the computers *would* still boot - there will be no display unless you put an old ISA graphics card inside (I tried that before many years back), and you will see something like an "Award BootBlock, BIOS ROM checksum error" asking you for a floppy containing the correct *.BIN file. If you don't have the card, you could still know that it asks for a floppy - the floppy drive LED lit up and make seeking sounds.

    If it doesn't boot - I don't think it's worrying either. It's not the entire motherboard is busted. The BIOS ROM has the program gone wrong, so it doesn't boot, that's all. In that case, in modern times, you can get the EEPROM programmer from the eBay: EPROM EEPROM Programmer Pic BIOS Chip PCB 5c | eBay and just reprogram it with the correct BIOS.

    The programmer is expensive, but you can use it again for other brands of EEPROM. If you are too lazy to buy one, you can whip up your own programmer, probably with an Arduino or something.

    Oh, and the virus only attacked PCs with Windows 98. Newer PCs aren't affected at all due to the much better protection system nowadays. :whistle:
     
  2. Adrian Wong

    Adrian Wong Da Boss Staff Member

    Wow, this is a really old virus. Is it still in the wild?
     
  3. The_YongGrand

    The_YongGrand Just Started

    It's not in the wild anymore - it couldn't infect anything later than Windows 98. Since this virus, Windows have added protection to prevent a foreign program to reprogram the BIOS chip.

    When I was a teenager I read about this and felt creeped out about it "destroying" the entire PC. But once you know it doesn't destroy the motherboard, it's not much to be feared of. It only destroy the program inside the EEPROM which houses the BIOS program, not destroying the chip nor destroying anything else.

    However, armed with the knowledge from the chipset's datasheet and its registers, it's considered very straightforward for any experienced programmer.
     
    Last edited: Nov 26, 2014
  4. Adrian Wong

    Adrian Wong Da Boss Staff Member

    The trouble is most users, and even most techies, aren't tech-savvy enough to reprogram the BIOS chips. That's if they can even afford to buy the EEPROM programmer.

    So the infected motherboard would be essentially "dead" to them. :wall:
     
  5. The_YongGrand

    The_YongGrand Just Started

    I agree - these stuff about EEPROM programming appears extremely low-level to almost everyone who uses a computer, even for the very experienced one.

    I killed an old Socket 7 motherboard's EEPROM and almost disposed it until I went to Engineering campus! The rest is history, I managed to fix that immediately. :faint:

    The EEPROM programmer can be bought cheaply from the internet which is less than $50. And that supports a big list of EEPROM models (SST/Microchip, Atmel, Winbond etc), so if you mess up a BIOS chip from another motherboard, you can still fix them. :whistle:

    The virus wouldn't kill any computer's BIOS. Different motherboards and different chipsets have different ways of reprogramming the BIOS. It so happened that only some of the boards are affected (probably some of the affected computers did have the author's motherboard/chipset during the writing of the code). :whistle:
     
  6. Chai

    Chai Administrator Staff Member

    I still remember hot flashing the BIOS too. :haha:
     
  7. Adrian Wong

    Adrian Wong Da Boss Staff Member

    And motherboards with dual BIOS can always boot up to the alternate BIOS. :D
     
  8. The_YongGrand

    The_YongGrand Just Started

    Yeah, these engineers added those fail-safe features after that CIH incident.

    Many of the systems have a physical BIOS write-protect jumper. It prevents from accidential reprogramming or virus attack. :whistle:
     
  9. Adrian Wong

    Adrian Wong Da Boss Staff Member

    Oh yeah, the write-protect jumper! :thumb:

    So in a way, the CIH virus was a "good" thing. :D
     
  10. The_YongGrand

    The_YongGrand Just Started

    Yeah - the engineers scramble to design new features so that the end-users won't toss the board away if another one of these strike!

    The newer BIOSes have write-protect option in the Setup, so there's no need to touch the jumper too.

    However, there are newer viruses which are identical to CIH - it's "BIOS Rootkit". They are probably not in the wild yet, but it's good to be aware of such things.:faint:
     
  11. Adrian Wong

    Adrian Wong Da Boss Staff Member

    The BIOS rootkit is similar in design to the Sony BMG copy protection rootkit, right?
     
  12. The_YongGrand

    The_YongGrand Just Started

    The Sony BMG ones are just plain rootkits. The BIOS rootkits however are some new thing - it's not in the wild, but some research has experimented these by intentionally creating them and infecting on some test PCs.

    These BIOS rootkits install a part of their malicious program into the BIOS EEPROM as an installer. It places its code into the first few cells of the EEPROM memory, and then loads whatever program into the RAM (BIOS shadowing) during the bootup. Afterwards, it will proceed to infecting boot-sectors and whatever inside.

    The clean-up of such rootkit can be very difficult due to the extra need to reprogram the BIOS chip (with a fresh new uninfected BIN file) externally if the computer breaks down. Luckily newer motherboards have SPI headers so that you can plug an external programmer to reprogram the BIOS if it breaks down, without yanking out the chip. :whistle:

    That rootkit can be potentially more destructive than the CIH if these are in the wild.:faint:
     

Share This Page