CIH virus causes little permanent damage
August 28, 1998
by Tom Diederich
(IDG) -- A strain of the malicious CIH virus struck at least 750 Windows-based PCs in the U.S. yesterday, but one data recovery firm said that nearly all of the damage can be repaired in a vast majority of the cases.
The original CIH virus, PE_CIH Version 1.2, was first found in Asia on April 26 and has appeared in virtually every country since. The 26th of each month apparently is significant for the virus' creators, who designed PE_CIH Version 1.3 to execute on June 26 and -- for Version 1.4, dubbed Win95.CIH.1019 -- to come to life of the 26th of every month starting last month. All three variants have affected PCs running either Windows 95 or Windows 98 and were activated when users booted up their PCs.
The virus, in addition to attacking data on the hard drive, attempts to rewrite -- and therefore destroy -- a PC's flash BIOS ROM, said Stuart Hanley, vice president of worldwide operations at Ontrack Data International, Inc. in Minneapolis.
"This virus destroys the first megabyte of data on the drive -- the front end of the drive," Hanley said. "That's where critical structures reside, like the master boot record, partition information and the boot partition block. File allocation tables can also be wiped out."
But that data often can be recovered, Hanley added. "It's clear that in many cases, just about 100% of the data can be recovered."
Hanley said his firm saw less than half a dozen PCs infected with Win95.CIH.1019 last month. He admitted that yesterday's attack caught him somewhat off guard.
"I was surprised when the calls started coming in around midday," he said. "To be honest, I didn't quite expect what we saw today." That may be because last month, the 26th fell on a Sunday. This month, the date fell on a Wednesday, a workday for most people and companies.
A Microsoft Corp. spokesman said the CIH virus infects executable files. He recommended that users use the latest versions of antivirus software and avoid opening attachments sent via E-mail from unknown sources.
Hanley agreed that prevention was key. He said the customers who called yesterday could have saved themselves time and money if they had used antivirus software. Of the 750 infected PCs seen yesterday, he said one firm had 500 units that had been crippled by CIH. Although he refused to name the firm or its location, he said that about 80% of its computers had been affected.
Ontrack has a remote data recovery service and four facilities in the U.S. where customers can take sick PCs for data repair -- provided that the computers' BIOS hasn't been affected. That was the case in 300 of the 750 units seen yesterday, Hanley said.
Home users can expect to pay between $400 and $1,100 for repair work, depending on the extent of the damage. Volume discounts are available for organizations, he added.
Igor Grebert, senior virus researcher at Trend Micro, Inc. in Cupertino, Calif., said CIH, like other notorious viruses, will soon be history. "I would expect that in the next few months, people will be protected and we won't hear of it again," he said.
"It's one of those nasty viruses that seems to be pretty successful. It's not a major infection, and it's not getting worse and worse, but it is spreading little by little."
Trend Micro has a free online service called HouseCall that will root out and kill CIH and other viruses, Grebert said.
Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.