Virus type: File Infector
Destructive: Yes
Aliases: CIH, Chernobyl, Win95.CIH, Win32.CIH, W95.CIH V1.2, W95.CIH V1.3, W95.CIH V1.4
Pattern file needed: 593
Scan engine needed: 2.062
Overall risk rating: Low

Reported infections: Low
Damage Potential: High
Distribution Potential: Low


This destructive file infector inserts itself into the free space at the end of a PE file and in between the file as well. The change in file size is not noticeable. Once the virus is triggered, it overwrites the hard drive and destroys FLASH BIOS. The virus has three variants and each is triggered on a separate date. CIH V1.2 is triggered on April 26, CIH v1.3 is triggered on June 26 and CIH v1.4 is triggered when the current system date is 26. A system infected with PE_CIH v1.2, a message is displayed upon reboot. This virus only infects Windows 95/98 systems and does not affect Windows NT/2000 systems.


Even though data recovery is possible after this virus unleashes its payload, many users will find it difficult to do so. Therefore Trend Micro encourages all users to clean all files detected as PE_CIH with an Emergency Rescue Disk (ERD).

    Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

    For additional information about this threat, see Technical Details.