The deadly CIH virus which strikes on the 26th of each month is history. "We've seen nothing out of the ordinary," said Bill Pollak, spokesman for the Computer Emergency Response Team Coordination Centre at Carnegie Mellon University in the U.S. System and anti-virus software firm Networks Associates Inc. similarly saw no activity on Wednesday.
After a variant of the virus that strikes yearly on April 26 caused widespread havoc a month ago, another variant that strikes on the 26th of every months seems to have disappeared. Last month, CIH caused the equivalent of a computer stroke in companies worldwide. "We were going nuts," said Stuart Hanley, product line manager for the Minneapolis, Minn.-based Ontrack Data International Inc. "Calls kept coming in for three days."
In total, Ontrack heard from 3,000 to 4,000 customers in the U.S., most with multiple PCs. Each one had been hit by the most destructive computer virus ever: CIH.
Because it had remained hidden for so long, the version of CIH that activated on April 26 affected an enormous number of people. South Korea estimated that between 240,000 and 600,000 PCs were affected there; Turkey believed 300,000 of its computers had been zapped; and China, India and the U.S. may have had almost 100,000 computers affected. Worldwide, the virus is estimated to have affected over 1 million PCs.
In the United States, mainly home users and students ran afoul of the computer virus, said Bill Pollak, spokesman for the Computer Emergency Response Team Coordination Center based at Carnegie Mellon University in Pittsburgh, Penn. "Most businesses [in the U.S.] had anti-virus software in place," he said. In addition, a month before the CIH meltdown, the Melissa virus had run rampant through corporate America, reminding lax administrators that system security needed to be up to snuff, said Dan Schrader, director of anti-virus firm Trend Micro Inc.'s security portal division. Because of Melissa, "the U.S. was surprisingly well off," he said.
Named for its Taiwanese creator Chen Ing-hau -- a student when he wrote the virus, now in the military -- the CIH virus moves by attaching itself to application files and spreads when other applications are opened on an infected PC. When an infected application is run on a specific date, the virus will delete the first 1MB of any hard disk -- essentially reformatting the disk -- and then attempt to erase the basic operating instructions -- called the basic input/output system, or BIOS -- for the PC's motherboard. Three variants exist: Version 1.2, which triggers on April 26 and is sometimes called "Chernobyl" as a nod to the Soviet nuclear accident that occurred on the same day; Version 1.3, which activates on June 26; and, Version 1.4 which triggers on the 26th of every month.
CERT's Pollak warned that Version 1.3 is the one to watch. "June twenty-sixth is the day to watch," he said. By now, though, computer users should have gotten the message. "The point about it is that this is a known virus," said CERT's Pollak. "It's been known since June of last year. Most people have gotten the message."
Still other malicious code is waiting in the wings. Already, a new virus similar to CIH has emerged, according to Dan Takata, senior software engineer with Data Fellows Inc. Called Emperor, the new cousin to CIH erases the same file information and attempts to delete the BIOS -- the MO that made CIH so destructive.
The virus has not started spreading over the Internet, said Takata. Yet he warned that this is just the beginning; other viruses will soon come about. "There is a whole new territory of virus technology that we are now entering," he said. "It will only get worse."