Virus will trigger on thirteenth anniversary of Chernobyl
disaster
Sophos FAQ
What is CIH?
CIH is a family of computer viruses which infect Windows 95/98
programs. If you run an infected program on your computer, the
virus will become active and begin to copy itself into other
programs (EXE files) on your system. The virus usually replicates
very quickly, so you will probably soon have hundreds of infected
files on your computer.
How does CIH spread?
Any program you receive from outside your computer could
potentially be infected. Once you are infected, the virus will soon
spread throughout your computer, and so the chance of your passing
an infected file to someone else is high.
How common is it?
Even though the first reports of CIH appeared only around the
middle of 1998, the virus reached the Number Two spot on the
Sophos Virus Top
Ten for the whole of 1998. It was third in January 1999, and
fourth in February 1999. This means it is very common indeed.
Why is it so widespread?
Programs infected with CIH have been seen on a number of cover CDs
from reputable magazines, and on a number of reputable websites.
This has certainly helped the virus achieve wide
distribution.
What does CIH do?
Normally, CIH simply spreads itself. But on certain trigger dates,
it detonates its warhead. The warhead wipes out your hard disk, and
then tries to overwrite the computer's BIOS chip. Once the BIOS is
overwritten, you will be unable to use your computer at all. Repair
involves physically removing the BIOS chip and replacing it with a
fresh one. On some computers, the BIOS chip is not removable, so it
can only be replaced by swapping the entire motherboard.
What are the trigger dates?
There are several variants of CIH, with different trigger
conditions. The best known, and most widespread, variant will
detonate on 26 April. Other variants detonate on 26 June, or even
on the 26th of any month.
Which operating systems are vulnerable?
CIH spreads under Windows 95 and Windows 98. DOS and Windows 3.x
cannot spread CIH because they cannot run Windows 95/98 programs.
Windows NT cannot spread CIH because the virus uses programming
tricks that do not work under NT. The virus can infect Windows NT
programs, but such programs will no longer run, and will therefore
not be infectious themselves .
How can I prevent it?
Use reputable anti-virus software which can accurately identify
CIH. Use the preventative component of your anti-virus software,
not just the component that can detect viruses. For Sophos
Anti-Virus, this means you should make sure you are using
InterCheck (which will actively prevent viruses, including CIH) on
all your computers. Your goal is not just to avoid having your
computer damaged by CIH on 26 April, but to avoid being infected at
all - by CIH or any other virus.
Where can I get anti-virus software?
Go to the Download section of this
website. You can download Sophos Anti-Virus free of charge. But
don't just get it, use it!
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.