Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Chernobyl | |
Threat Level Damage Distribution |
Effects |
On April 26, Chernobyl activates and carries out the following actions: It deletes all information from the hard disk by formatting it. It deletes the content of the BIOS in computers with an Intel Pentium microprocessor (based on 430TX). It infects executable files with an EXEextension used in Windows 98, Windows 95 or Windows NT computers.
|
Infection strategy
The routine followed by Chernobyl in order to carry out its infection is:
It detects when a file with an EXE extension is used. It does this by capturing the IFS (Installable File System)
It infects files with an EXE extension without arousing suspicion because it does not increase the file size. In order to do this, it distributes its infection code in the unused spaces in these files.
- EXE files in PE (Portable Executable) format contain quite a few empty spaces. This is the reason Chernobyl targets them.
Means of transmission
Chernobyl does not use any special means of transmission. It can spread through the means normally used by viruses: e-mail messages, computer networks, FTP file transfers, CD-ROMs, floppy disks, etc.
Further Details
In order to give you further information about Chernobyl, below is a list of interesting facts:
It first appeared in Taiwan, according to the Taipei authorities at the time.
It was created by 24 year old Chen Ing-Halu. The initials of his name CIH are one of the other names by which Chernobyl is known.
The first people to be infected were groups of software pirates dedicated to transferring games files over the Internet. Through these groups, Chernobyl very rapidly proliferated worldwide.
CIH v1.2 TT IT.Chernobyl is also the name of a virus family. This means that there are other viruses, which are similar (variants), but slightly different. Below is a list of the most common ones:
The variant Chernobyl.1010 activates on June 26 and its code contains the following string: CIH v1.3 TT IT.
The variant Chernobyl.1019 activates on the 26 of any month and its code contains the following string: CIH v1.4 TATUNG.