Win95.CIH (also known as Chernobyl, CIH, Spacefiller, Win32.CIH) is a virus that infects 32-bit Windows 95, Windows 98 and Windows NT executables files having the .EXE extension. When an infected program is run in a Windows 95 or Windows 98 computer, it infects the computer and becomes memory resident. The infected program will not work properly on a Windows NT computer. Once the virus becomes memory resident, it infects all the 32-bit EXE files opened. So the virus spreads to all files executed and also copied. The size of the virus code is quite small and it is about 1000 bytes. The virus will not InCrease the size of the infected file. It uses an unique method to copy its code to the infected file. It fills up the unused space available in the 32-bit EXE file (PE format) with its code. If the virus can not find a single continuous large enough empty space to copy itself, it will Slice itself up to many pieces and place them in the smaller empty slots. This virus is also known as Win95.Spacefiller for this behavior. The virus alters the header entry point to the beginning of the virus code and builds the broken up parts to one piece of code when the EXE file is run. The virus code contains the text "CIH", so it gets this name.
Win95.CIH virus has a dangerous payload that will trigger on the 26th of April or any month, depending upon the variant of the virus strain. This virus can damage the contents of the BIOS flash memory chip. Most of the new computers sold (80486 and later CPUs) have their BIOS programmed into the flash memory chips. Win95.CIH writes garbage to the flash memory chip if the chip is write-enabled. Many PC manufacturers leave the flash memory chip write-enabled. If this happens the computer will become unusable until the contents of the chip are Restored or the motherboard is replaced. After damaging the BIOS the virus also makes the data in all the hard disks unreadable.