According to official notices on their sites, both No. 3 Internet gaming service mplayer.com and BT's Wireplay posted infected updates to their sites, which automatically upgraded -- and infected -- customer computers. "Anywhere from zero to 1,500 of our customers could have downloaded the virus," said Paul Matteucci, CEO of Mpath which owns mplayer.com. "We are extremely sorry. Mplayer is as much a victim as anyone else who got infected."
British Telecom's Wireplay also posted an infected update program, according to an official Internet posting on its site. "Anyone who downloaded Wireplay version 2.2 between 3 p.m. on Monday afternoon and 6.30 p.m. on Tuesday evening should delete the installation file and take immediate action," stated the posting. A spokesman for BT told ZDNet News: "The CIH virus was up there but we acted extremely quickly and responsibly. As soon as we found out it was there it came down and we've contacted everyone who downloaded the affected client software. They have all been sent patches."
According to BT's spokesman, the Dr Solomons anti virus software, used to protect the client download site, did not recognise the virus at first but is now equipped to deal with the problem.
The CIH virus is deadly. When triggered, it reformats any connected hard drive and, on susceptible computers, causes the system BIOS chip to erase itself -- essentially making the computer "forget" its internal language, according to Nick FitzGerald, editor of the Virus Bulletin.
The virus activates on April 26th, June 26th, and the 26th of every month, depending on the version. It is the latter variant -- known alternatively as WIN95.CIH1.4 and WIN95.CIH.SPACEFILLER -- that Mplayer.com found in its systems. For Mpath's Matteucci, the virus represents the worst kind of Internet terrorism. "We are absolutely outraged," he said. "I would love to find the guy who wrote this thing." Matteucci told ZDNet News that mplayer.com was infected on Tuesday morning at 10 a.m. and noticed problems around 4 p.m. "By 5 p.m., we knew we had a virus," he said. "Within 15 minutes, we shut down the system."
Mplayer.com has 800,000 registered users, according to industry analyst Forrester Research. By late Thursday, Matteucci said Mplayer.com expects to post a utility that will automatically detect the virus in the mplayer.com client -- whether or not the user caught it from Mplayer -- and tell customers how to get rid of it.
While the total number of users who have caught the virus from these incidents is unknown, several victims have contacted ZDNet News. "I am positive that I got it from mplayer.com," one Quake player, who asked to remain anonymous, said via e-mail. "Over ten friends have gotten it as well. Mplayer obviously isn't going to say anything." While the company had posted a notice that it had temporarily shut down its gaming news due to the virus, the note made no mention of the possible user infection. Matteucci told ZDNet News this was because "we were not sure if we infected anyone at all."
Because the site was contaminated after July 26th -- and the virus does not trigger again until August 26th -- Mplayer subscribers should be able to purge the virus before it overwrites their hard drives.
The incidents raise the question: Are multiplayer gaming sites the cholera-laced wells of the Internet? The people who visit gaming sites are a high-risk population, said the product manager of the Internet entertainment site that had a close call with the CIH virus. "Basically, the kind of people who visit games site are Internet savvy people, they are on the Net and download on the Net," he said. Also, many gamers are also hackers, so with "the 'warez' sites they go to . . . it's pretty likely that they will get contaminated."
Adding fuel to the fire, many companies do not regularly update their anti-virus software signature files. "If they choose to update on a quarterly basis, then they won't be able to catch these types of viruses," said Vincent Gullotto, manager of anti-virus and security firm Network Associates' McAfee Labs