Recovering Dead Motherboards Killed by the CIH Virus
By Gabriel Torres on October 17, 2004


Introduction

CIH virus, also known as Chernobyl or Spacefiller, is one of the fiercest computer viruses that have been created so far. When PC is infected by this virus, it just erases ROM (BIOS) memory contents in its activation date (April 26th), if this memory is of the Flash ROM type (which is true to all PCs nowadays).

As the BIOS is erased by virus, your PC won't boot up any more, and probably your motherboard will be diagnosed as "dead". A lot of PC technicians that don't know that this virus exist, simply replace the motherboard from the attacked PC. But there is solution: just reprogram the BIOS chip and your motherboard will be alive again.

So, if you are a PC technician, don't throw away dead motherboards before trying the procedure described in this tutorial. Maybe the motherboard is not really defective, but has just its BIOS erased.

The BIOS can be reprogrammed using a modern EPROM programmer - most technicians don't have this tool - or using a working motherboard as a BIOS programmer. We will teach you how this can be done.

First, you will need both the BIOS upgrade software and the BIOS contents file. These two pieces can be downloaded at the motherboard manufacturer website. In our tutorial about BIOS upgrade we explain more about these two files. If you are unfamiliar with the BIOS upgrade process, please read this other tutorial first. Write this two files in a bootable floppy (formatted with Format a: /s).

Next you will need a motherboard identical from the one "killed" by the virus. Actually, the motherboard doesn't need to be exactly the same, but has to be compatible with the BIOS chip from your defective motherboard. Since we can't tell you beforehand if the motherboard you will use to reprogram the BIOS is or is not compatible with the BIOS chips from the "killed" motherboard, we suggest you to use an identical motherboard.

The procedure to reprogram the erased BIOS chip is the following:

  1. Turn on the good motherboard and boot it with the floppy (of course you will need to install CPU, memory, VGA etc to this motherboard for it to work).
  2. At the DOS prompt, remove the good chip and replace it with the erased chip (more on this below). Yes, with the computer turned on.
  3. Run the programming software and reprogram the bad chip.
  4. Turn off the computer, remove the reprogrammed chip and install back the original (good) chip.
  5. Install the reprogrammed chip on the "killed" motherboard and test it.
  6. The defective motherboard should be working now.
  7. Use data recovery and antivirus software on the hard disk from the attacked PC, since it will be infected.

As you can see, the step number 2 is extremely delicate. If you feel uncertain of doing it, we recommend you don't try it. Better take your machine to technical support than blow it up by clumsiness.

Now let's see how the BIOS chip can be removed/replaced.

Removing the BIOS Chip

To remove the chip, you can use a small screwdriver, if the BIOS chip from your motherboard is DIP (Dual In-Line Package, see Figure 1). If it is PLCC (Plastic Leadless Chip Carrier, see Figure 2) you will need a special extraction tool.

DIP BIOS chip

Figure 1: DIP chip packing. You can remove this kind of chip using a small screwdriver.

PLCC BIOS chip

Figure 2: PLCC chip packing. For this kind you will need a special chip extraction tool.

PLCC Extraction Tool 

Figure 3: PLCC Extraction Tool, used to remove PLCC BIOS chips.

Watch out for not touching any metallic part from motherboard with the screwdriver or extraction tool, mainly any of the ROM terminals. If that happens, you can blow out motherboard.

To remove the DIP chip, just push one side of the chip and then the other side, as we shown on the following figures.

BIOS removal

Figure 4: Push one of the chip sides a little bit.

BIOS removal

Figure 5: Push the other side a little bit.

BIOS removal

Figure 6: Pull it.

BIOS removal

Figure 7: And presto!

When installing the chip back, pay attention to not insert it back in the wrong position. Let's talk about it now.

Inserting the BIOS Back

Be careful to not place the chip in wrong position, or you will probably literally burn out the BIOS chip. Both the chip and its socket have a marking called "pin 1". You have to march the pin 1 marking on the chip with the pin 1 marking on the socket.

Pin 1

Figure 8: Pin 1 notches on DIP chip and socket.

Pin 1

Figure 9: Pin 1 notches on PLCC chip and socket.

PLCC chips are easing to be installed back, because one of its side (the pin 1 side) isn't squared but triangle-shaped. Thus, it is impossible to insert them in the wrong position.

Data Recovery

After reviving your motherboard, you will probably need to recover your hard disk. We say that because if the virus was triggered to the point of erasing the BIOS chip, it probably erased your hard disk partition and FAT tables as well.

To recover your hard disk, you will need to use a data recovery software. From all softwares we tested, the best one is the Fix-cih, which is free and can be downloaded at http://www.grc.com/files/fix-cih.exe. This software is small and really efficient. You will need to create a bootable floppy and copy this program to it, and then boot the infected computer from this floppy. Format this floppy from a computer without virus (of course) and using at least Windows 98 (if you format it using DOS or Windows 95, it won't recognize FAT32 partitions and you probably won't be able to recover your hard disk). Run the software and wait. It can take a couple of hours recovering your data, specially with you have a large hard disk.

After recovering the hard disk, you will need to run an antivirus software to remove the virus, that will still be stored on your hard disk. We recommend you to download and run cleancih, which can be downloaded from http://www.pspl.com/download/cleancih.exe. This is a 20 KB DOS software, so you can copy it to your bootable floppy and run it after booting from a floppy. Don't try to boot your from your hard disk, because it is infected and you won't be able to remove the virus.

To boot your PC from a floppy disk, you need to enter setup (pressing Del key during the memory count that occurs when you turn your PC on) and change the Boot Order (or Boot Sequence) option to "Floppy", "A:, C:" or similar.

After performing all steps we described, your motherboard will be alive again and your hard disk will be recovered.

Originally at http://www.hardwaresecrets.com/article/Recovering-Dead-Motherboards-Killed-by-the-CIH-Virus/39


2004-13, Hardware Secrets, LLC. All Rights Reserved.

Total or partial reproduction of the contents of this site, as well as that of the texts available for downloading, be this in the electronic media, in print, or any other form of distribution, is expressly forbidden. Those who do not comply with these copyright laws will be indicted and punished according to the International Copyrights Law.

We do not take responsibility for material damage of any kind caused by the use of information contained in Hardware Secrets.