CIH computer virus toll tops 540,000

The destructive CIH computer virus slammed South Korea and Turkey on Monday -- crashing more than a half a million computers by reformatting hard drives and, in some cases, zapping a key chip on the computers' motherboards.
Written by ZDNet Staff, Contributor

The virus, believed by anti-virus software firms to have originated in Taiwan, infects computers running Windows 95 and 98 when a previously infected executable file -- one with the .EXE extension -- is run. The CIH activates only on specific dates. Two variants of the virus struck on Monday: The more widespread variant strikes every April 26, while the less common strain strikes on the 26th day of every month. The April variant is also known as the Chernobyl virus because its activation date -- April 26 -- is the anniversary of the 1986 Chernobyl nuclear disaster in the former Soviet Union. Both variants, and a third that strikes on June 26, were discovered in May 1998.

While only scattered reports, possibly totalling 10,000 systems, were recorded in the United States, both the Korean and Turkish governments admitted to much more widespread infections. In the Republic of Turkey, more than 300,000 computers were affected by the virus, said government officials on Tuesday, according to an Associate Press report. The virus hit computers in some private banks, police departments, an army school, an airport in Izmir on Turkey's Aegean coast and the state-owned TRT television.

The Republic of Korea was hit equally as hard -- with anywhere from a government-admitted 240,000 computers hit to the industry's estimate of 600,000. The Korean Information and Communication Ministry said anti-virus program developers received reports of infection from about 1,000 private companies, 200 government and public organisations and 300 universities. In addition, the Korean Supreme Court had to delay some rulings because evidence saved on computers was lost, said Susan Orbuch, spokeswoman for anti-virus firm Trend Micro Inc., which has an office in Korea.

That makes the virus much more destructive than the Melissa virus, which infected over 100,000 computers in the United States at the end of March, putting CIH at the top of the viral heap, said Rob Rosenberger, Webmaster of Computer Virus Myths Homepage. "If these numbers are right, CIH has broken the record for viruses," he said, adding that he had thought the Chernobyl outbreak would have been smaller. "With all of the updating out there for Melissa, these people somehow failed to protect themselves against CIH."

Experts weren't sure why either Korea or Turkey took the brunt of the CIH outbreak. One theory: The CIH virus piggybacked on pirated software, common in countries outside the United States. In fact, Ted Loh, managing director of Thai system integrator Tygre Systems Co.Ltd., estimated that 20 percent of CD-ROMs in Thailand carry the CIH virus.

Loh points to the pirated CD-ROMs as the No. 1 reason for the massive infection, which in Thailand could reach several thousand, he estimated. In addition, Asia was largely unaffected by the Melissa virus, preventing countries from preparing for a more serious virus outbreak. With Melissa much more publicised in the United States, organisations updated their virus software and raised awareness of viruses in general. "The Melissa virus was a very valuable wake-up call, especially in the United States where a lot of companies are dependent on Outlook and Microsoft Exchange," said Dan Schrader, director of product marketing for anti-virus firm Trend Micro Inc. "In updating for the Melissa virus, most American companies unwittingly protected themselves against CIH."

Some U.S. universities and corporations reported tens, and occasionally, hundreds of cases, but for the most part, U.S. users were prepared for CIH's activation day. According to the CERT Coordination Centre at Carnegie Mellon University, a total of 195 organisations have reported problems involving 2,023 computers. The majority of reports have been from home computer users and educational institutions, said Bill Pollak, spokesman for the Centre.

Among the academic institutions, Notre Dame has at least 130 machines hit, Boston College students lost data on about 100, and several were downed at Vanderbilt. "CIH did not have a negligible impact here," wrote Bob Zwaska with the Office of Information Technologies ate the University of Notre Dame in a Tuesday e-mail.

Several students lost term papers and final theses as the school year was coming to a close. "More people [need to] take the CIH virus seriously," wrote a Notre Dame student, Brian Snyder, whose roommate's computer stopped working on Monday after being hit with the nasty virus. "Especially on college campuses where file sharing is everywhere."

Reuters contributed to this report.

Take me to the Melissa Virus special.

Editorial standards