[nextpage title=”Introduction”]

CIH virus, also known as Chernobyl or Spacefiller, is one of the fiercest computer viruses that have been created so far. When PC is infected by this virus, it just erases ROM (BIOS) memory contents in its activation date (April 26th), if this memory is of the Flash ROM type (which is true to all PCs nowadays).

As the BIOS is erased by virus, your PC won’t boot up any more, and probably your motherboard will be diagnosed as “dead”. A lot of PC technicians that don’t know that this virus exist, simply replace the motherboard from the attacked PC. But there is solution: just reprogram the BIOS chip and your motherboard will be alive again.

So, if you are a PC technician, don’t throw away dead motherboards before trying the procedure described in this tutorial. Maybe the motherboard is not really defective, but has just its BIOS erased.

The BIOS can be reprogrammed using a modern EPROM programmer – most technicians don’t have this tool – or using a working motherboard as a BIOS programmer. We will teach you how this can be done.

First, you will need both the BIOS upgrade software and the BIOS contents file. These two pieces can be downloaded at the motherboard manufacturer website. In our tutorial about BIOS upgrade we explain more about these two files. If you are unfamiliar with the BIOS upgrade process, please read this other tutorial first. Write this two files in a bootable floppy (formatted with Format a: /s).

Next you will need a motherboard identical from the one “killed” by the virus. Actually, the motherboard doesn’t need to be exactly the same, but has to be compatible with the BIOS chip from your defective motherboard. Since we can’t tell you beforehand if the motherboard you will use to reprogram the BIOS is or is not compatible with the BIOS chips from the “killed” motherboard, we suggest you to use an identical motherboard.

The procedure to reprogram the erased BIOS chip is the following:

1. Turn on the good motherboard and boot it with the floppy (of course you will need to install CPU, memory, VGA etc to this motherboard for it to work).
2. At the DOS prompt, remove the good chip and replace it with the erased chip (more on this below). Yes, with the computer turned on.
3. Run the programming software and reprogram the bad chip.
4. Turn off the computer, remove the reprogrammed chip and install back the original (good) chip.
5. Install the reprogrammed chip on the “killed” motherboard and test it.
6. The defective motherboard should be working now.
7. Use data recovery and antivirus software on the hard disk from the attacked PC, since it will be infected.

As you can see, the step number 2 is extremely delicate. If you feel uncertain of doing it, we recommend you don’t try it. Better take your machine to technical support than blow it up by clumsiness.

Now let’s see how the BIOS chip can be removed/replaced.

[nextpage title=”Removing the BIOS Chip”]

To remove the chip, you can use a small screwdriver, if the BIOS chip from your motherboard is DIP (Dual In-Line Package, see Figure 1). If it is PLCC (Plastic Leadless Chip Carrier, see Figure 2) you will need a special extraction tool.

Figure 1: DIP chip packing. You can remove this kind of chip using a small screwdriver.

Figure 2: PLCC chip packing. For this kind you will need a special chip extraction tool.

 

Figure 3: PLCC Extraction Tool, used to remove PLCC BIOS chips.

Watch out for not touching any metallic part from motherboard with the screwdriver or extraction tool, mainly any of the ROM terminals. If that happens, you can blow out motherboard.

To remove the DIP chip, just push one side of the chip and then the other side, as we shown on the following figures.

Figure 4: Push one of the chip sides a little bit.

Figure 5: Push the other side a little bit.

Figure 6: Pull it.

Figure 7: And presto!

When installing the chip back, pay attention to not insert it back in the wrong position. Let’s talk about it now.

[nextpage title=”Inserting the BIOS Back”]

Be careful to not place the chip in wrong position, or you will probably literally burn out the BIOS chip. Both the chip and its socket have a marking called “pin 1”. You have to march the pin 1 marking on the chip with the pin 1 marking on the socket.

Figure 8: Pin 1 notches on DIP chip and socket.

Figure 9: Pin 1 notches on PLCC chip and socket.

PLCC chips are easing to be installed back, because one of its side (the pin 1 side) isn’t squared but triangle-shaped. Thus, it is impossible to insert them in the wrong position.

[nextpage title=”Data Recovery”]

After reviving your motherboard, you will probably need to recover your hard disk. We say that because if the virus was triggered to the point of erasing the BIOS chip, it probably erased your hard disk partition and FAT tables as well.

To recover your hard disk, you will need to use a data recovery software. From all softwares we tested, the best one is the Fix-cih, which is free and can be downloaded at https://www.grc.com/files/fix-cih.exe. This software is small and really efficient. You will need to create a bootable floppy and copy this program to it, and then boot the infected computer from this floppy. Format this floppy from a computer without virus (of course) and using at least Windows 98 (if you format it using DOS or Windows 95, it won’t recognize FAT32 partitions and you probably won’t be able to recover your hard disk). Run the software and wait. It can take a couple of hours recovering your data, specially with you have a large hard disk.

After recovering the hard disk, you will need to run an antivirus software to remove the virus, that will still be stored on your hard disk. We recommend you to download and run cleancih, which can be downloaded from https://www.pspl.com/download/cleancih.exe. This is a 20 KB DOS software, so you can copy it to your bootable floppy and run it after booting from a floppy. Don’t try to boot your from your hard disk, because it is infected and you won’t be able to remove the virus.

To boot your PC from a floppy disk, you need to enter setup (pressing Del key during the memory count that occurs when you turn your PC on) and change the Boot Order (or Boot Sequence) option to “Floppy”, “A:, C:” or similar.

After performing all steps we described, your motherboard will be alive again and your hard disk will be recovered.