Experts Warn Computer Users of New Data-Destroying Virus

Computer experts posted a warning Friday about a malicious computer virus dubbed CIH/Chernobyl, expected to hit Monday, that can erase a computer’s hard drive or prevent the equipment from restarting.

The CIH virus is far more dangerous to individual computers than Melissa, the much-publicized bug that spread relatively benign problems far and wide on the Internet last month.

Carnegie Mellon University’s Computer Emergency Response Team said it issued a warning after “getting a number of requests for information” about the CIH virus. The warning can be read on the CERT Web site at https://www .cert.org.

Most up-to-date virus software can spot and destroy the bug, the experts noted, and several companies offer free inoculation tools on their Web sites.

The virus is a malicious piece of software code that has been turning up in PCs for months, but this version is the most feared variation.

The so-called CIH or “space filler” virus originated in Asia last summer and hits on the 26th of each month. The CIH 1.2 version that appears only once a year in April is the “most prevalent and dangerous” form of the virus, according to Sal Viveros, marketing vice president for Network Associates Inc., the largest computer security company.

The CIH virus can irretrievably destroy data on a user’s computer and even make the machine inoperable.

It gets the name “space filler” because it uses a special technique that secretly fills file space on computers and thwarts many of the anti-virus software programs in place before its arrival. The virus is also called the Chernobyl virus because it is timed to go off on the anniversary of the Russian nuclear accident, one of technology’s worst disasters.

The virus is designed to hide from view by inserting itself into empty coding slots on a computer’s software utilities. Viruses are often detected because they use up extra space on hard drives, but the “space filler” helps CIH avoid that traditional method of detection. It can lie dormant for months before causing damage.

The April version of the virus is particularly damaging because it can also keep a computer from starting up by infecting the software on which all the PC’s programs depend: the basic input/output system, or BIOS. If the BIOS is infected, the computer will not start.

The CIH virus doesn’t spread as quickly as Melissa, however, because it requires a person to launch an infected program file to contaminate a computer. Melissa was automatically propagated by e-mail.

Carey Nachenberg, chief researcher at Symantec Corp.’s Antivirus Research Center, said one big risk from the Chernobyl virus stems from a potential infection on a company’s computer network, which could then spread to individual computers.

“If it gets on a corporate network and the volumes are not protected, it could spread very, very rapidly,” Nachenberg said.

Viveros noted that many corporate computers have the latest virus-fighting software because the Melissa scare prompted companies to upgrade.

Network Associates said its popular McAfee software recognized Chernobyl as early as June last year, and Symantec said its Norton Antivirus program identified Chernobyl before August.