What is Spacefiller virus
A spacefiller virus also called cavity virus or Chernobyl virus or CIH is a rare type of computer virus that attempts to install itself by filling in empty sections of a file. By only using empty sections of a file, the virus can infect a file without changing the size of the file, making it more difficult to detect.
It is Microsoft Windows 9x computer virus which first emerged in 1998. It affected Windows 95,98 and ME. Its payload is very destructive to vulnerable systems, overwriting critical information on infected system drives, and in some cases destroying the system BIOS.
How Spacefiller (Cavity) Viruses is different
Most viruses simply attach themselves to the end of the file and then change the beginning of the program so that it first points to the virus than to the actual program code. This way the size of the file is changed and easy to find out that something invisible has been loaded to file.
Spacefiller (cavity) virus is very smart. Some program files have empty space inside them. This virus attempts to install itself in this empty space while not damaging the actual program itself. The virus does not increase the length of the program and also does not alter the code of that file. It can avoid antivirus programs.
The maximum popular spacefiller is the Lehigh virus.
When a CIH-infected file is executed on a system, the virus becomes resident because it infects every executable file that is accessed. It will register itself as a driver to avoid easy disinfection methods. The files infected by CIH often have the same size as the uninfected copy due to, the way it infects files – the virus first searches for continuous blocks of empty or unused space in the file large enough to hold its code (hence the nickname Spacefiller.) If no suitable amount of space is found, CIH will retry the search, but search for enough total space to place its code in certain size chunks. If this check also fails, it will perform common infection behavior (append itself to the end of the file, add a jump to the appended code at the very beginning of the file.)
It triggers on April 26.
How to Remove Spacefiller Viruses
It is difficult to write this type of virus and there are a limited number of possible hosts. So cavity viruses are rare so far. But they can not be removed with ordinary antivirus programs.
You need to have knowledge of cmd prompts. Most of the times the identifiable command of spacefiller virus is identified as a “CIH_file”