CIH virus to strike this Sunday

On July 26, the devastating Win95/CIH Virus is programmed to strike. And experts say its payload is unprecedented -- if you're infected, your computer may simply stop working.

The virus was first identified by Virus Bulletin, a premiere research laboratory in Great Britain that publishes a subscription newsletter about viruses. According to Nick FitzGerald, the Bulletin's editor, the virus goes beyond the traditional disk-trashing mayhem of other rogue programs.

Computers based on Intel-compatible processors use a Basic Input Output System (BIOS) to provide a cold start-up. The BIOS is software that initialises and manages the relationships and data flow between the system devices, including hard drive, serial port, parallel port, and the keyboard; it sits between those hardware devices and the operating system.

Most desktop, server, and notebook computers built in the last few years store their BIOS on a flash ROM chip. These flash chips are rewritable, which allows users and manufacturers to upgrade the BIOS with new capabilities, or to fix bugs. For the first time ever, the CIH Virus attacks the software code stored in those flash BIOS chips. The virus overwrites part of the BIOS code that's stored in some flash ROM chips. In fact, it overwrites the part of the BIOS program that runs first when the system is powered up or reset.

As a result, the virus can render your computer unbootable-- it just won't start-up at all when you turn on the power. The virus may be breaking new ground, but it still has a sense of history. Like other nasty viruses of old, it also overwrites the first megabyte of your hard drive, obliterating your files.

That loss can be devastating, but if the virus stopped there, at least your computer would still work-- if you had DOS or another operating system on a floppy disk.

According to the Virus Bulletin, CIH can be downloaded from "warez" sites on the Internet. Those are the underground or "hacker" sites that store programs, including some that claim to be hacking tools or provide additional utilities for games.

The virus is known to have been downloaded from at least one "warez" site in Europe. In one case, it was even disguised as a Windows 98 service pack. The connection to Windows 98 is not a coincidence. The CIH Virus can reportedly affect any system running Windows 95 or 98. That possibility has caused tremendous concern among researchers.

But while concern is warranted, there is no need to panic about the dangers of CIH. The virus is not yet widespread, and not every kind of flash ROM chip can be overwritten. Some are simply not affected by the payload's activation sequences.

The problem, however, is that it can be almost impossible to know whether your computer has the kind of flash ROM chip that is vulnerable to attack. There are approximately 15 to 30 chips that are commonly used in current systems. Luckily, many motherboards, including those built by Intel and sold to a variety of top computer manufacturers in the United States, come with the flash BIOS protected against attacks like this. These motherboards have a jumper set that write-protects the flash chip, much like a diskette, cassette, or VHS tape can be write-protected. However, even if the virus can't overwrite the BIOS, it will still delete data stored on hard-drives. That puts every Windows 95 and 98 based machine at risk when the virus triggers.

At present, all four known versions of the CIH Virus are connected to the date of the 26th. The first two are programmed to trigger on the 26th of April. The third takes action on the 26th of June. And the fourth, and least common, drops its payload on the 26th of every month. That's this Sunday. And if you're one of the unlucky ones who get infected, the damage can be extreme and expensive.

"PCs on which the Win95/CIH payload has triggered (completely) require the BIOS to be replaced," FitzGerald said. "This is where a rash of infections within a company can quickly become expensive."

In some cases, the BIOS can be replaced by removing the current chip and inserting a new one. But such a remedy would require the BIOS to be installed in a socket. In most cases, the Flash ROM chip is soldered to the motherboard of the computer. In that event, the entire motherboard will have to be replaced. "With some laptops, it may be more economic to buy a new machine," FitzGerald said. Such potential harm makes it prudent to take protective action right away.

While the threat may be slight, it's undoubtedly increasing. So far, the virus has been identified in Australia, Chile, France, Germany, Japan, Korea, Norway, Romania, Russia, South Africa, and Taiwan, where it may have been written. As the 26th of each new month arrives, the number of CIH victims seems destined to rise.