Proprietary 1999-03-05 · 12 days ·Malware Distribution, Data Destruction, Hardware Damage Bios Payload

IBM Aptiva PCs shipped CIH virus

In early 1999, IBM accidentally shipped several thousand Aptiva consumer PCs pre-installed with the destructive CIH (Chernobyl) file virus.

Story

In April 1999, IBM warned that some Aptiva consumer PCs sold in the United States had shipped with CIH already on the machine. The affected systems were not infected after purchase through a download or email attachment. They left the manufacturing path dirty.

The scope was narrow but serious. Contemporary reports named Aptiva models 240, 301, 520, and 580 manufactured between March 5 and March 17, 1999. The affected labels used AM909, AM910, or AM911 after MFG DATE, giving customers a practical way to identify machines at risk.

CIH was a Windows 95 and Windows 98 PE file infector. It hid in unused space inside executable files, stayed resident after execution, and infected other programs as the system opened or ran them. Its payload made the case dangerous: on the trigger date it could overwrite hard-drive data and attempt to corrupt writable Flash BIOS firmware.

IBM said it contacted most affected customers and provided an eradication program. The timing was poor. The machines shipped in March; the common destructive trigger was April 26. A factory image had become the distribution channel for a virus built to damage both files and boot firmware.

Affected Artifacts

IBM Aptiva

· ibm.com · Hardware

Observed: 1999-03-05 to 1999-03-17
Compromised Versions: Unknown
Fixed: Not listed
Hashes: md5:2b3762908955147287db7f377d66976b

md5:7b8a3132f23f2300710631017e3f0d2f

sha256:5f778e1f90c67968a95874380a19198f7a0a860f9521935096c6bf46905f79a9

+1 more
Evidence: mirror: f-secure.com/v-descs/cih.shtml, mirror: web.archive.org/web/20000818190934/http://www.zdnet.com/zdnn/stories/news/0,4586,2236884,00.html, mirror: virustotal.com/gui/file/5f778e1f90c67968a95874380a19198f7a0a860f9521935096c6bf46905f79a9, mirror: virustotal.com/gui/file/c8b72931950b2006a96878e0a39728f725db5d4e8e62e6df2a292ae096721a89 , +11 more

Affected IBM Aptiva scope covered models 240, 301, 520, and 580 manufactured between 1999-03-05 and 1999-03-17.

Incident Context

Motive: Not Applicable
Attribution: Accidental
Cause: Manufacturing Error
Transitive: No
Actor: Accidental
User Impact: 5000

External References

Some Aptivas shipped with CIH virusweb.archive.org
Virus Threatens Aptiva PCslatimes.com
Big Blue catches cold with PC virustheregister.com
CIH (computer virus)en.wikipedia.org
Virus:DOS/CIHf-secure.com

Source record: proprietary/ibm_aptiva/meta.yaml