Security news
Security news10 March 1999
Network nuke set to blow 26 April 1999
Virus will trigger on thirteenth anniversary of Chernobyl disaster
Sophos FAQ
What is CIH?CIH is a family of computer viruses which infect Windows 95/98 programs. If you run an infected program on your computer, the virus will become active and begin to copy itself into other programs (EXE files) on your system. The virus usually replicates very quickly, so you will probably soon have hundreds of infected files on your computer.
How does CIH spread?
Any program you receive from outside your computer could potentially be infected. Once you are infected, the virus will soon spread throughout your computer, and so the chance of your passing an infected file to someone else is high.
How common is it?
Even though the first reports of CIH appeared only around the middle of 1998, the virus reached the Number Two spot on the Sophos Virus Top Ten for the whole of 1998. It was third in January 1999, and fourth in February 1999. This means it is very common indeed.
Why is it so widespread?
Programs infected with CIH have been seen on a number of cover CDs from reputable magazines, and on a number of reputable websites. This has certainly helped the virus achieve wide distribution.
What does CIH do?
Normally, CIH simply spreads itself. But on certain trigger dates, it detonates its warhead. The warhead wipes out your hard disk, and then tries to overwrite the computer's BIOS chip. Once the BIOS is overwritten, you will be unable to use your computer at all. Repair involves physically removing the BIOS chip and replacing it with a fresh one. On some computers, the BIOS chip is not removable, so it can only be replaced by swapping the entire motherboard.
What are the trigger dates?
There are several variants of CIH, with different trigger conditions. The best known, and most widespread, variant will detonate on 26 April. Other variants detonate on 26 June, or even on the 26th of any month.
Which operating systems are vulnerable?
CIH spreads under Windows 95 and Windows 98. DOS and Windows 3.x cannot spread CIH because they cannot run Windows 95/98 programs. Windows NT cannot spread CIH because the virus uses programming tricks that do not work under NT. The virus can infect Windows NT programs, but such programs will no longer run, and will therefore not be infectious themselves .
How can I prevent it?
Use reputable anti-virus software which can accurately identify CIH. Use the preventative component of your anti-virus software, not just the component that can detect viruses. For Sophos Anti-Virus, this means you should make sure you are using InterCheck (which will actively prevent viruses, including CIH) on all your computers. Your goal is not just to avoid having your computer damaged by CIH on 26 April, but to avoid being infected at all - by CIH or any other virus.
Where can I get anti-virus software?
Go to the Download section of this website. You can download Sophos Anti-Virus free of charge. But don't just get it, use it!
About Sophos
Sophos enables enterprises all over the world to secure and control their IT infrastructure. Sophos's network access control, endpoint, web and email solutions simplify security to provide integrated defenses against malware, spyware, intrusions, unwanted applications, spam, policy abuse, data leakage and compliance drift. With over 20 years of experience, Sophos protects over 100 million users in nearly 150 countries with its reliably engineered security solutions and services. Recognized for its high level of customer satisfaction and powerful yet easy-to-use solutions, Sophos has received many industry awards, as well as positive reviews and certifications.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com
