CIH did something different.
Granted, CIH did modify the BIOS, but rather than replacing the BIOS with a hacked-on version so as to be able to reinfect easily, CIH erased the 'boot block', so the machine would not boot.
To add insult to injury, it also overwrote the first 200MB of the first disk.
In effect, CIH's modifications to the BIOS were the destructive payload, not the infection mechanism.
The privilege escalation was moderately clever, and relied on a combination of a security failure in the x86 instruction set - user-mode code can trivially retrieve the base address of the interrupt descriptor table - and a security failure in Win9x - that table is writeable from user-mode code. CIH used this combination to gain access to kernel mode.