Last significant update: 24 April 1999
This information can be freely reproduced in any medium, as long as the information is unmodified.
The following text was written and posted to the "PC Antivirus Update"
(PCAVU) X.500 email group at U-M on 6 April 1999; we first sent out an alert
about CIH to that email group on 10 July 1998.
=======================================================================
There is a particularly nasty virus named W32.CIH; it comes in several versions. The payload date varies, but when it triggers, it will zap the hard drive so that data is overwritten (making data recovery impossible, except perhaps by an expert), and it will attempt to overwrite the FLASH BIOSes used by most computers nowadays.
While someone with specialized hardware might be able to fix the latter, for the common computer user, this means that the motherboard must be replaced. So while this second payload of the virus does not always work, you really want to make sure it doesn't bite you -- the hard drive trashing is bad enough.
Why do I bring this up now, you ask? Well, two things: We've seen this virus at U-M, and the most common variant of CIH strikes on April 26th of any year.
DSAV has known this virus for almost a year now, but why take chances? For this and other reasons, PLEASE UPGRADE YOUR ANTIVIRUS SOFTWARE SOON -- at your earliest convenience, and certainly before April 26th. Thanks.
News flash: Just learned that a bunch of IBM Aptivas shipped from
the factory with this virus -- if you happen to have one of these,
you might want to look at their press release at
Yahoo
(leaving our site).
=======================================================================
Subsequent to the post above post, I've added the following:
This virus has recently become known as "Chernobyl", due to a very unfortunate and inappropriate faux pas by some overzealous antivirus marketroids. While April 26th is indeed the anniversary of the Chernobyl nuclear disaster, the payload has nothing to do with this -- any more than it does with the facts that Carol Burnett and John James Audubon were born on that day, that in 1874 the Georgia General Assembly added April 26th as "Confederate Memorial Day", or that on that day in 1998, the Cornell Freshman Second Eight Lightweight Crew defeated Yale.
Somehow, calling the virus Cornell Freshman Second Eight or Carol Burnett just doesn't have the same scare value, does it? Hmmm. Would that lead to fewer sales, perhaps?
Note that the technical folks at these antivirus companies are not to blame with this. In fact, I bet they're plenty annoyed. But once out of the bag, the press has been quick to latch into this alternative, inappropriate name.
On 29 April, credible news reports claimed that the author was one Chen Ing-Hau (CIH, get it?), then a student at Taiwan's Tatung Institute of Technology (TTIT, also included as a text string within the virus body).
No mention of Chernobyl at all, of course. See Infobeat's article (leaving our site) and The New York Times' article (leaving our site; requires free login)
For those of you who do not have access to U-M's software site license, F-PROT can handle CIH very nicely. Browse over here for more info on F-PROT.
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like DataFellows (leaving our site).
For those of you unlucky enough to have gotten bitten by CIH, perhaps our U-M Data Recovery page would be of interest. In particular, see the Data Recovery Primer. We offer our sincere sympathies to any victims of this, and every other, virus.
-BPB
visits to this page since 24 April, 1999 17:17 EDT