April 23, 1999 Web posted at: 2:43 p.m. EDT (1843 GMT) by Emily Fitzloff

From...

INTERACTIVE Are you protected against the CIH 1.2 virus? Yes No View Results  ALSO    Network Associates ranks virus threats    Sign up for the Computer Connection email service    For more computing stories

(IDG) -- A fiercely destructive virus that may already be sitting dormant in the memory of computer users' systems is expected to become active Monday, April 26.

The virus, which is called CIH 1.2 and infects Windows 95 and 98 .EXE files, is not nearly as prevalent or easy to spread as the recent Melissa virus, but is significantly more destructive to the computers it does infect because it goes directly to the hardware.

According to Steve Trilling, director of research at the Symantec Anti-Virus Research Center, the payload of CIH 1.2 "will not only delete programs from your hard drive, but it can over-write flash BIOS and totally destroy the motherboard."

Although CIH 1.2 is much more slow moving than the more common macro viruses, its threat is higher because it typically goes undetected, according to Sal Viveros, group marketing manager for Network Associates' Total Virus Defense product line.

CIH was first discovered in summer 1998 in the Far East, according to Symantec's Trilling, who explained that viruses tend to be most threatening within the first six months of release.

"Because CIH is now in its eighth month, the threat has been significantly reduced," Trilling said.

CIH, however, does have the strength to destroy the hard drives of infected computers when they are booted up on April 26. Some observers have speculated that the payload release date is designed to coincide with the 13th anniversary of the nuclear meltdown in Chernobyl.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
InfoWorld home page
InfoWorld forums home page
InfoWorld Internet commerce section
Get Media Grok and The Industry Standard Intelligencer delivered for free
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

According to Viveros of Network Associates, March's relatively benign Melissa may have been a blessing in disguise for U.S. computer users.

"Most U.S. users updated their anti-virus solutions because of Melissa, so they are safe," Viveros said.

All of the leading anti-virus products have been aware of CIH 1.2 since last summer, so people who have updated their systems since then will have the current fix for CIH 1.2 and should be safe, according to Viveros, who also remarked that the virus has been extremely prevalent in Asia.

Computer users who are unsure whether their systems may be carrying the CIH 1.2 virus, especially those who have not been updating their anti-virus systems regularly, should contact their anti-virus solution provider.

Symantec is offering a fix called Kill CIH that can be downloaded from www.symantec.com (link below). Fixes are also available from Sophos, Network Associates, and others.

One Microsoft representative said the software company's products had no particular vulnerabilities to the CIH virus, and updated versions of Windows-based anti-virus software should keep Windows clean of it.

"It can run Windows 95 and Windows 98," the representative said. "The virus payload cannot run on NT systems. It could infect, but not run on, NT."

To Windows users, Microsoft recommended standard virus protection measures -- using up-to-date scanning software, employing code-signing safeguards, and not accepting floppy disks or executables from unknown sources.

Emily Fitzloff is an InfoWorld senior writer.