CIH, which first surfaced in late June 1998, is capable of overwriting MBR's making all the data on hard disks inaccessible. The flash memory chips of some systems are also vulnerable to attack, potentially causing unrecoverable damage.

The virus is a Windows95/98 portable-executable file infector that insidiously hides within these files, waiting to infect additional files as they are executed. In general, infected files work correctly, giving no clue that the system is infected. There are a number of Windows 95/98 files which cannot be repaired upon disinfection due to the mechanism by which the virus inserts itself into the files.

Windows NT systems may store infected files, though the NT systems themselves cannot be damaged by the virus.

The virus has two payloads. One of its capabilities is erasing or damaging the flash memory and/or flash BIOS of some machines. The other is to overwrite the MBR and boot sector. The file acts at the file system level, allowing it to bypass standard BIOS virus protection.

There are three virus versions known, which are very closely related They have different lengths, texts inside the virus code and trigger dates: