CIH virus finds a few victims

CIH impact was minimal; but don't say that to Boston College students who lost term papers.
Written by Bob Sullivan, Contributor

The Windows CIH/Chernobyl virus found victims Monday, and had heartbreaking consequences.

There was a serious outbreak at Boston College, where many students preparing for final exams discovered a semester's worth of work had been erased. Hundreds of computers in Singapore and Hong Kong were also infected. But while such pockets of infections are disastrous for the victims, a widespread outbreak of infections never materialized.

CIH vs. Melissa
In the post-Melissa virus world, virus companies drummed up attention in the days leading up to the 26th, when CIH and its variants strike. The Melissa virus, which struck last month, shocked the computer world when it forced companies around the country to shut down e-mail services.

CIH can cause irreparable damage to your computer, but only if you're running Windows 95 or Windows 98. First it erases the first megabyte of information on your hard drive, a critical area which acts like a table to contents for your computer. Without it, your computer can't find anything.

Then it attempts to alter your computer's BIOS, or Basic Input Output System. That renders the PC basically useless.

But CIH and Melissa are very different beasts. Melissa was special because she was able to spread so fast -- much faster than virus protection software could be updated. When Melissa hit, on a Friday afternoon, no virus software could protect victims. But every major virus package now has protection against CIH. So while CIH has more dangerous consequences, chances of infection are infinitely smaller.

Victims feel the pain
Students at Boston College apparently didn't heed warnings which had been issued by the computer science department for weeks. The outbreak there was so bad that a message at the school's computer help desk urges students to not turn on their computers until Tuesday.

"Right after midnight people started calling in and saying 'My computer doesn't know it's a computer anymore,' " said a BC computer lab employee. "Whoever said that it's not a big deal, I'd like to have them come in here and look around."

The worst damage appeared to be taking place in Asia and parts of Europe, where antivirus protection is less prevalent, and with pirated software, which is often filled with bugs. Security firm Data Fellows Inc. told MSNBC that 100 machines in Hong Kong were infected, along with 200 in Singapore and 10 "major companies" in India. A smattering of machines in the United Kingdom, Sweden, Japan, Malta, Finland, and New Zealand were also hit, according to spokesman Mikko Hypponen.

CIH can be contracted by downloading an infected file, inserting an infected floppy disk into your machine, or by opening an infected e-mail attachment.

The so-called CIH or "space filler" virus originated in Asia last summer and hits on the 26th of each month. A variant, CIH 1.2, that appears only once a year in April, is the "most prevalent and dangerous" form of the virus, said Sal Viveros, marketing vice president for Network Associates Inc., the largest computer security company.

The virus is also called the Chernobyl virus because it's timed to go off on the anniversary of the Russian nuclear accident, one of technology's worst disasters.

The virus is designed to hide from view by inserting itself into empty coding slots on a computer's software utilities. Viruses are often detected because they use up extra space on hard drives, but the "space filler" characteristic helps CIH avoid that traditional method of detection. It can lie dormant for months before causing damage.

"People should make sure they have the latest antivirus software run on their computers," said Bill Pollak, of Carnegie Mellon's Software Engineering Institute, which runs the Computer Emergency Response Team, or CERT. The center has already prepared an "incident" note on its site.

Editorial standards