That day -- a month ago -- the phone lines lit up at data recovery firm ONTRACK International Inc. and three letters repeatedly came over the line: CIH, CIH, CIH. "We were going nuts," said Hanley, product line manager for the Company based in Minneapolis. "Calls kept coming in for three days."
In total, between 3,000 and 4,000 customers -- most with multiple PCs -- called in a panic, asking for aid in recovering data lost to, perhaps, the most destructive computer virus ever: CIH. The consensus, however, is that the computer virus has blown itself out. The variant that strikes on the 26th of every month will be relatively scarce Wednesday, several experts said.
Named for its creator Chen Ing-hau -- a student when he wrote the virus, now in the Taiwanese military -- the CIH virus moves by attaching itself to application files and spreads when other applications are opened on an infected PC. When an infected application is run on a specific date, the virus will delete the first 1MB of any hard disk -- essentially reformatting the disk -- and then attempt to erase the basic operating instructions for the PC's motherboard.
Three variants exist: Version 1.2 which triggers on April 26 and is sometimes referred to as "Chernobyl" as a nod to the Soviet nuclear accident that occurred on the same day; version 1.3 which activates on June 26; and, version 1.4 which triggers on the 26th of every month. Because it had remained hidden for so long, the version of CIH that activated on April 26 affected an enormous number of people. South Korea estimated that between 240,000 and 600,000 PCs were affected; Turkey believed 300,000 of its computers had been zapped; and China, India and the U.S. may have had almost 100,000 computers affected.
In the United States, mainly home users and students ran afoul the computer virus, said Bill Pollak, spokesman for the Computer Emergency Response Team Coordination Centre based at Carnegie Mellon University in Pittsburgh. "Most businesses [in the U.S.] had anti-virus software in place," he said. In addition, a month before April 26, the Melissa virus had run rampant through corporate America, reminding the lax that system security needs to be up to snuff, said Dan Schrader, director of anti-virus firm Trend Micro Inc.'s security portal division. Because of Melissa, "the U.S. was surprisingly well off," he said.
While anti-virus firms and virus experts do not expect May 26 to be a repeat of April 26, they warn that the threat of computer viruses remain. "Five years ago, viruses traveled by foot," said Steve Trilling, the director of the Symantec Anti-virus Research Centre. "Today, something like Melissa travels around the world in a few hours, automatically. Technology is enabling the viruses to be more deadly and move faster."