Twenty-seven years ago today, at the stroke of midnight on April 26, 1999, one of the most destructive pieces of malware ever written silently detonated across hundreds of thousands of machines worldwide. The CIH virus — nicknamed the “Chernobyl virus” because its trigger date coincides with the anniversary of the 1986 nuclear disaster — zeroed out hard drives and attempted to flash junk data into motherboard BIOS chips, rendering computers completely unbootable. It did all of this in just 1 kilobyte of code.

CIH Virus — Key Statistics

Virus Size ~1 KB
Computers Infected ~60 Million
Estimated Damage $40 million (commercial losses)
Systems Targeted Windows 95, 98 & ME only
Creator Chen Ing-hau, Tatung University, Taiwan
First Detected June 1998, Taiwan

Origins: A Student’s Challenge

CIH was written in 1998 by Chen Ing-hau, a computer science student at the Tatung University in Taiwan. The virus’s name derives directly from his initials — the letters “CIH” were embedded as a text string within the malware’s code. According to Chen himself, he created the virus to challenge antivirus vendors, whom he believed were vastly overstating their products’ detection capabilities. What began as a technical provocation would quickly spiral into a global catastrophe.

Sophos obtained its first sample of CIH in June 1998, submitted by a customer in Taiwan. Within weeks, the virus had spread beyond Taiwan’s borders — detected in Austria, Australia, Israel, and the United Kingdom within the first week alone, followed quickly by reports from Switzerland, Sweden, the United States, Russia, and Chile. The virus had gone global with alarming speed.

“The trigger date, April 26, coincides with both the anniversary of the Chernobyl nuclear disaster and — perhaps more tellingly — Chen Ing-hau’s own birthday.”

— Virus historians & security researchers

The Technical Ingenuity Behind the Devastation

What made CIH so remarkable — and so dangerous — was its method of concealment. Conventional viruses of the era appended their code to the end of executable files, inflating file sizes and making them relatively easy for antivirus software to detect. CIH took a fundamentally different approach, earning it the alternate name Spacefiller.

// How CIH concealed itself — “cave-filling” technique

PE File Structure: Sections aligned by defined header values
   → Unused “cave” gaps exist between section boundaries

CIH Method: Split payload across these inter-section gaps
   → File size remains completely unchanged
   → File integrity checks pass undetected

// Result: bypassed size-based antivirus verification entirely

When an infected executable was run, CIH became memory-resident and silently infected every other PE (Portable Executable) file the user opened — without the infected files growing by a single byte. This made it effectively invisible to the file-size verification mechanisms that most antivirus software of the time relied upon.

The virus operated exclusively on Windows 9x systems — Windows 95, 98, and ME. Windows NT was immune due to architectural differences in how the operating system handled kernel-level privileges. On vulnerable machines, CIH exploited a flaw to escalate from application-level access to root kernel privileges, silently infecting files as the user worked.

The Dual Payload: A Two-Stage Attack

On its trigger date, CIH deployed a devastating two-stage payload. First, it overwrote the initial megabyte of the system’s boot drive with zeros — destroying the partition table and making the disk’s contents entirely inaccessible. Second, it attempted to flash garbage data into the motherboard’s BIOS chip.

The BIOS attack was what made CIH historically unprecedented. No previous virus had been capable of physically damaging computer hardware in this way. On systems using Intel 430TX-based chipsets with unprotected flash memory, a successfully corrupted BIOS left the machine unable even to power on. Repair required physically replacing the BIOS chip — or the entire motherboard.

“Once the BIOS is successfully rewritten, the device will be completely unbootable. It requires replacement of the corresponding chip to be repaired.”

— Security analysis of CIH payload behavior

How CIH Spread So Far

The virus spread primarily through pirated software channels in the summer of 1998. But several infections traced back to entirely legitimate commercial sources, underlining how thoroughly CIH had penetrated global software supply chains.

  • Apr 1998 CIH CreatedChen Ing-hau writes the first version of CIH at Tatung University, Taiwan. The trigger date, April 26, matches both the Chernobyl disaster anniversary and his birthday.
  • Jun 1998 First DetectionSophos receives the first CIH sample from a customer in Taiwan. Within days, the virus is detected in multiple countries across Europe, the Middle East, and the Americas.
  • Summer 1998 Global SpreadCIH spreads worldwide through pirated software networks. Infected files appear on game software distribution sites in the United States, triggering a global epidemic.
  • Mar 1999 IBM Aptiva IncidentIBM ships a batch of Aptiva brand desktop computers with CIH pre-installed on their hard drives — just one month before the virus’s trigger date.
  • Early 1999 Yamaha & DEF CONYamaha distributes an infected firmware update package for its CD-R400 drives. Separately, copies of the hacker tool Back Orifice 2000 handed out at DEF CON 7 are also found to carry CIH.
  • Apr 26, 1999 Detonation DayCIH v1.2 triggers worldwide. Hundreds of thousands of machines lose their hard drive data; many have their BIOS chips corrupted. An estimated 60 million computers are ultimately affected.
  • 2000 Aftermath & InvestigationChen Ing-hau is detained and investigated by Taiwanese authorities, but is never criminally charged — no victims formally filed lawsuits as required under local law at the time.
  • Post-1999 Legislative ChangeThe CIH incident directly prompts Taiwan to enact new computer crime legislation to close the legal gaps that allowed Chen to escape prosecution.

The Aftermath: Law, Legacy, and Lessons

In the immediate aftermath of the April 26, 1999 detonation, Taiwanese prosecutors faced a significant legal problem: under the laws at the time, criminal charges required that victims formally file complaints. Despite the scale of global damage — estimated at $40 million in commercial losses, with some accounts suggesting figures far higher — no victims came forward with lawsuits against Chen. He was detained and questioned in 2000, but ultimately never charged with or convicted of any crime.

The incident was not without consequence, however. It directly prompted Taiwan to pass new computer crime regulations, closing the legislative loopholes that had made prosecution impossible. Chen Ing-hau later went on to work in the technology industry, reportedly in security-related roles.

From a technical standpoint, CIH’s legacy is profound. It was the first virus ever demonstrated to cause physical hardware damage — an achievement that malware researchers still reference today. Its space-filling concealment technique foreshadowed the sophisticated evasion tactics that modern malware continues to employ: living inside legitimate processes, leaving minimal forensic footprints, and targeting not just data but the integrity of the machines themselves.

“CIH’s destructive power remains unmatched by most modern malware — even 27 years later, few programs have managed to permanently brick hardware at such scale.”

— Tom’s Hardware, April 26, 2026

Why It Still Matters in 2026

Today, Windows 9x is long extinct and CIH poses no real-world threat. But the lessons it taught — and the questions it raised — remain urgently relevant. The virus demonstrated that supply chains, not just user behavior, are attack surfaces: CIH reached millions of machines through pre-installed systems and legitimate firmware update packages, not merely through pirated software.

It also proved that antivirus vendors of the era were over-relying on simplistic file-size heuristics, a vulnerability that Chen had specifically designed his virus to exploit. The arms race between evasion and detection that CIH helped ignite in 1998 continues unabated — modern malware routinely uses techniques to hide within legitimate processes, avoid behavioral signatures, and persist without detection. The Spacefiller’s spirit lives on, even if its code does not.

On this 27th anniversary, CIH stands as a reminder that the most dangerous software is often the most elegant — and that the gap between a clever university student and a global catastrophe can be measured in kilobytes.

SOURCES & REFERENCES
Tom’s Hardware (April 26, 2026)  ·  Wikipedia: CIH (computer virus)  ·  Kaspersky Threat Encyclopedia  ·  Sophos Security Blog (2018 retrospective)  ·  TechTarget / SearchSecurity  ·  Virus.Wikidot.com (CIH technical analysis)