"This is the deadliest virus that we've ever seen," said a product manager for the U.S.-based company, which would only speak on condition of anonymity. "Between 10,000 and 20,000 of our customers could have been affected." It's one of the first reported sightings of the much discussed -- and feared -- CIH virus. The next trigger date for one variant of the software bomb is this coming Sunday.
When triggered, the virus reformats connected hard drives and, on susceptible computers, even causes the system BIOS chip to erase itself -- essentially making the computer "forget" its internal language.
The cure is to call in a specialized data recovery team to copy as many files as possible from the hard drive and send the motherboard -- with the damaged BIOS chip -- back to the manufacturer. Then pray.
Close call
"This bug kills machines dead," said the firm's product manager. The company's machines had been infected by the variant that activates on the 26th of every month, alternatively referred to as W95.CIH.1909 and W95.CIH1.4.
According to the manager, the company barely detected the virus before two infected updates were due to be posted on its Web site. The updates work automatically so anyone connecting to the site for an upgrade of their original files would have had their programs updated -- and infected.
"It took 90 people a year and a half to build this company," he said, "we almost lost it in a day."
Anti-virus firms were not surprised at the company's story.
"It's not a virus that's very prevalent," said Steve Trilling, director of research for the Symantec Anti-virus Research Center, "but when you get it, it spreads extremely quickly."
Caught barely in time
If the company hadn't detected the CIH bug, all of the customers who were updated by the company's Web site would have faced a blank screen on Sunday.
"We were damn lucky," said the product manager.
|
'It took a year and a half to build this company -- we almost lost it in a day.' -- Company executive  |
The virus was detected in the U.S. firm by a self-diagnostics program used to search for hacker activity.
"This virus infects just by copying [executable files]," said SARC's Trilling. "It's very unusual."
And that's a problem. Running an anti-virus program that is not up to date on the latest fixes can actually pick up the infection and contaminate as it opens and scans files looking for an intruder.
"It is very important for the user to either use a clean machine or boot using a clean floppy before scanning their machine with an anti-virus utility," said Trilling.
But another company has a different solution.
Trend Micro Inc. has an online utility that uses a Java or ActiveX app to scan a computer's hard drive for viruses, including CIH variants. This removes the worry about whether the user's PC is already infected.
Rare, but deadly
The worry is certainly real. Organizations hit by the CIH bug are hit hard, authorities said.
According to Trend Micro, one company in Italy lost 100 hard drives when the virus reformatted them. In Taiwan, a semiconductor firm found that 400 of its 1,000 PCs had been infected. Luckily, they caught the problem, and only 10 hard drives were reformatted by the virus.
Yet, while deadly, the CIH virus has not been all that common, said researchers.
"It's widespread -- meaning, it has hit many countries," said Nick Fitzgerald, editor of the Virus Bulletin, "but in the end, relatively few computers will be affected."
Fitzgerald figured out the code portion of the CIH bug that triggers the BIOS chip to erase itself.
To catch the bug
While the anonymous Internet entertainment company has eradicated the virus and is now "very uptight about scanning our machines," the firm still doesn't know from where "Machine Zero" contracted the CIH virus.
More than likely, that means the infected source file is still out there.
Windows 95 computers contract the virus, known as W95.CIH, by opening an infected executable, or .EXE, file. Three of the four variants affect PCs on specific dates (June 26 and two on April 26), while the fourth activates on the 26th of every month.
Trend Micro says CIH will affect Windows 98 executable files as well.
