First published: 23rd March 2000
Last year, on April 26th, hundreds of thousands of computers were wiped out around the world by W95/CIH.1003. Asia was particularly badly hit. In Hong Kong, it was the biggest ever computer virus activation event with, by some estimates, about 1000 machines affected. The real figures will never be known, for example we continued to receive second-hand reports months afterwards from computer dealers who found that people were upgrading their computer's motherboards rather than repairing the damage caused.Now we are approaching the anniversary of this disaster, and the virus will activate again (there are, in fact, three known variants of CIH, but only the one that activates on April 26 has become common). This is a wake-up call for people to prevent a repeat of last year.
Realistically, it is unlikely that as many machines will be affected as in 1999. On the machines where it activated, the virus effectively killed itself along with the machine. Additionally, many people updated their anti-virus software at that time. The anti-virus researcher Jimmy Kuo has estimated that there will be one-tenth of the activations there were last year. Therefore, in Hong Kong, there might be 100 machines wiped. This is not a large number, unless one of those is your machine!
We do know that CIH is still around and spreading. Worldwide, anti-virus researchers are still seeing it, and locally we were contacted last week by a school's computing officer concerned that files infected with CIH were appearing on machines used by students. In this case, the source was suspected as either infected downloads from the Internet, or game CDs carrying the virus. Some people are surprised that legitimate CD-ROMs might contain a virus, but this is dependant on security at the developer's site, and mistakes do happen. There were several known incidents of CIH infected game CDs before the CIH activation last year, and, as it is impossible to modify a CD after it is made, copies of these will still be infected.
This is not a cause for panic. Any reasonable anti-virus software that has been correctly installed and updated within the last 18 months will be able to detect CIH. However, it is apparant that many people are not taking sensible precautions against computer viruses.
To help, here are some questions and answers:
1. Where can I find out more about CIH?
http://www.f-secure.com/v-descs/cih.shtml
2. I don't have anti-virus software installed because I can't afford it, what should I do?
At least protect yourself over this vulnerable time. Most anti-virus vendors have a (time-limited) trial version available at their website, download one of these and install it. In the longer term, consider the value of your data and time against the cost of anti-virus software.
3. I have anti-virus software installed, but is it working?
You can safely test that your anti-virus software is working by using the EICAR Standard Anti-Virus Test File. This is a small program that is not a virus, but the anti-virus developers have agreed to detect it as if it was. Try running this program on your machine, if your anti-virus software warns you that it has found the EICAR Standard Anti-Virus Test File, and prevents the program from running, it is working correctly. If the program runs, your anti-virus software is not working properly. Get the test file, and a full description at:
http://www.eicar.org/anti_virus_test_file.htm
4. How can I be sure my anti-virus software will detect CIH?
There is no safe way for an end user to test this, ask your anti-virus vendor.
5. It is the 26 April, and my machine has stopped working, what should I do?
Don't Panic.The damage to your hard disk data caused by CIH can usually be largely repaired using specialist data recovery tools, contact a data recovery expert for help. If CIH has succeeded in overwriting the flash BIOS (this depends on the motherboard's chipset) you will need to return the motherboard to your dealer or manufacturer for BIOS replacement. Also remember that computers fail for many reasons, this could be caused by a different problem.
6. Is CIH the only computer virus I should be concerned about?
No. There are many computer viruses, and more are discovered every day. Some of these can cause serious damage to your programs and data, and some are known to be successfully spreading throughout the world. This warning has highlighted CIH because it causes serious damage, it is known to be "in the wild" and it's activation date is approaching, so it represents the currently most serious problem.