Chernobyl Virus Recovery Service

Chernobyl virus is also called CIH or Spacefiller It is considered to be one of the most harmful and widely circulated viruses that overwrite crucial information on infected system drives. Different anti-virus vendors have given it different names like: CIH, Win95.CIH, Win32.CIH, W95/CIH.1003 and PE_CIH.

The CIH virus basically destroys the executable files and is spread by executing an infected file. This virus can infect many files quickly as many files are executed during the normal use of a computer. There are many variations of the Chernobyl virus. Some activate on the 26th of every month, while others activate just on 26th of April or 26th of June.

Once the hard disk drive is infected by the CIH virus it tries to overwrite the system BIOS and most machines may require the placement of a new BIOS chip if overwritten by the CIH virus. Chernobyl has the affect on only Win95/98 machines. On the other hand the users of Windows 3.x, Windows NT, Windows 2000 or Macintosh and DOS are not considered at risk.

CIH infects Portable executable files by splitting the bulk of its code in to small chunks which are inserted into the inter-section gaps normally seen in PE files, and writes a small re-assembly routine and table of its own code segments located in unused space in the tail of PE header.

The size of CIH virus is around 1 Kilobyte. Due to the novel multiple-cavity infection method infected files do not grow at all. This virus jumps from processor ring 3 to 0 to hook system calls. As soon as the virus enters the system the first payload tries to overwrite the first megabyte of the hard disk drive with zeroes, beginning at sector 0. As a result of this the partition table gets deleted which might cause the machine to hang.

The second payload tries to write to the Flash BIOS. This routine actually works on some machines. Different Flash ROM chips have different write-enable routines specific to those chips. No attempt is made by CIH to test for the Flash ROM type inside the machine and has got only one write-enable sequence.
For the first pay load any information that the virus has overwritten with zeroes is lost. First partition is FAT32 and above one gigabyte MBR gets overwritten i-e the partition table, the boot sector of the first partition and the first copy of the FAT of the first partition.

If the first partition is not FAT32 or is smaller than 1GB then the user data in that particular partition will still be intact but without the root directory and FAT. If the second payload completes without a hitch, the machine wouldn’t start at all and a new BIOS chip is required in such a case.
If the damage is caused by CIH virus or any other virus of its kind you can contact us for the data recovery of vital data.