Chernobyl
Threat LevelDamageDistribution

Effects 

On April 26, Chernobyl activates and carries out the following actions:

• It deletes all information from the hard disk by formatting it.
• It deletes the content of the BIOS in computers with an Intel Pentium microprocessor (based on 430TX).
• It infects executable files with an EXEextension used in Windows 98, Windows 95 or Windows NT computers.

Infection strategy 

The routine followed by Chernobyl in order to carry out its infection is:

• It detects when a file with an EXE extension is used. It does this by capturing the IFS (Installable File System)
• It infects files with an EXE extension without arousing suspicion because it does not increase the file size. In order to do this, it distributes its infection code in the unused spaces in these files.
• EXE files in PE (Portable Executable) format contain quite a few empty spaces. This is the reason Chernobyl targets them.

• In Windows 2000 Pro or Windows NT computers, Chernobyl goes memory resident every time an infected EXE file is run.
• It infects all the EXE files accessed by the user or the system in Windows 98 and Windows 95 computers.

Means of transmission 

Chernobyl does not use any special means of transmission. It can spread through the means normally used by viruses: e-mail messages, computer networks, FTP file transfers, CD-ROMs, floppy disks, etc.

Further Details  

In order to give you further information about Chernobyl, below is a list of interesting facts:

• It first appeared in Taiwan, according to the Taipei authorities at the time.
• It was created by 24 year old Chen Ing-Halu. The initials of his name CIH are one of the other names by which Chernobyl is known.
• The first people to be infected were groups of software pirates dedicated to transferring games files over the Internet. Through these groups, Chernobyl very rapidly proliferated worldwide.
  CIH v1.2 TT IT.
• Chernobyl is also the name of a virus family. This means that there are other viruses, which are similar  (variants), but slightly different. Below is a list of the most common ones:

The variant Chernobyl.1010 activates on June 26 and its code contains the following string: CIH v1.3 TT IT.

The variant Chernobyl.1019 activates on the 26 of any month and its code contains the following string: CIH v1.4 TATUNG.