CIH (Chernobyl / Spacefiller) — destructive Windows 9x computer virus

CIH, also called Chernobyl or Spacefiller, is a 1998 Windows 9x malware known for corrupting files and, on vulnerable PCs, overwriting BIOS firmware; it prompted major data-loss incidents and changes in firmware protection.

Overview

CIH is a notorious computer virus that first emerged in 1998 and primarily targeted Microsoft Windows 9x systems. It is commonly referred to as "Chernobyl" because its destructive payload was set to activate on April 26 (the anniversary of the Chernobyl nuclear disaster), and as "Spacefiller" for the method it used to infect executable files. The virus was written by Chen Ing‑hau, a student from Taiwan, and became infamous for both widespread data corruption and the rare ability to overwrite PC firmware (BIOS) on some machines.

Technical characteristics

CIH infected Windows 9x portable executable (PE) files and employed a technique that avoided changing file sizes by filling unused space inside executables — hence the nickname "spacefiller." After infection, a dormant payload would remain until the trigger date, when the virus attempted to destroy data and, on some systems, to corrupt the system BIOS by writing directly to flash ROM.

Targets: Windows 95/98 and other 9x-series systems using less restricted hardware access.
Infection vector: infected executable files spread through software distribution, shared files, and removable media.
Payload: random or pseudorandom data written into files and, on vulnerable motherboards, direct overwrites of flash BIOS sectors.
Trigger: date-based activation (notably April 26), though variants and copies produced different behaviors.

Why BIOS corruption was possible

On Windows 9x machines the operating system ran parts of DOS and allowed user-mode code to perform low-level hardware accesses that modern operating systems prohibit. CIH exploited that relaxed access model and the presence of writable flash ROMs to issue writes to the BIOS area. If the flash chip was overwritten, the machine could fail to boot until the firmware was restored — typically by reflashing the BIOS with vendor tools or replacing the chip or motherboard.

History, spread and impact

CIH was first detected in 1998 and produced notable outbreaks in 1999. It spread widely because it infected executables and was distributed on shared media and some commercial CDs. High‑profile incidents included reports of infected retail software and a case in which certain models of prebuilt systems left the factory with infected software on their hard drives. Estimates of financial damages vary; contemporary assessments placed the economic impact in the hundreds of millions to over a billion dollars globally, accounting for lost work, recovery costs, and hardware repairs.

Mitigation, response and legacy

CIH prompted changes in several areas of computer security and manufacturing. Antivirus vendors added signatures and heuristics to detect and remove the virus, vendors improved checks for shipped software, and motherboard and BIOS manufacturers implemented or encouraged write-protect mechanisms for firmware. The incident highlighted the value of routine backups, cautious handling of executables from untrusted sources, and system-level protections that prevent user-mode programs from writing directly to firmware.

Modern operating systems with strict privilege separation (for example, Windows NT‑derived systems) and improved firmware management (UEFI with secure flash protocols) make CIH-style attacks much harder to perform. Nevertheless, CIH remains an important case study in malware history because of its destructive payload and the way it influenced practices around firmware protection and secure software distribution.