A fiercely destructive virus that may already be sitting dormant in the memory of computer users' systems is expected to become active Monday, April 26.
The virus, which is called CIH 1.2 and infects Windows 95 and 98 .EXE files, is not nearly as prevalent or easy to spread as the recent Melissa virus, but is significantly more destructive to the computers it does infect because it goes directly to the hardware.
According to Steve Trilling, director of research at Symantec's Anti-Virus Research Center, the payload of CIH 1.2 "will not only delete programs from your hard drive, but it can overwrite flash BIOS and totally destroy the motherboard."
Although CIH 1.2 is much more slow-moving than the more common macro viruses, its threat is higher because it typically goes undetected, according to Sal Viveros, group marketing manager for Network Associates' Total Virus Defense product line.
CIH was first discovered in summer 1998 in the Far East, according to Symantec's Trilling, who explained that viruses tend to be most threatening within the first six months of release.
"Because CIH is now in its eighth month, the threat has been significantly reduced," Trilling said.
CIH, however, does have the strength to destroy the hard drives of infected computers when they are booted up on April 26. Some observers have speculated that the payload release date is designed to coincide with the 13th anniversary of the nuclear meltdown in Chernobyl.
According to Viveros of Network Associates, March's relatively benign Melissa may have been a blessing in disguise for computer users for most updated their antivirus solutions because of the virus.
All of the leading antivirus products have been aware of CIH 1.2 since last year, so people who have updated their systems since then will have the current fix for CIH 1.2 and should be safe, according to Viveros, who also remarked that the virus has been extremely prevalent in Asia.
Computer users who are unsure whether their systems may be carrying the CIH 1.2 virus, especially those who have not been updating their antivirus systems regularly, should contact their antivirus solution provider.
Symantec is offering a fix called Kill CIH that can be downloaded from http://www.symantec.com/avcenter/. Fixes are also available from Sophos, Network Associates and others.
One Microsoft representative said the software company's products had no particular vulnerabilities to the CIH virus, and updated versions of Windows-based antivirus software should keep Windows clean of it.
"It can run Windows 95 and Windows 98," the Microsoft representative said. "The virus payload cannot run on NT systems. It could infect, but not run on, NT."
To Windows users, Microsoft recommended standard virus protection measures -- using up-to-date scanning software, employing code-signing safeguards, and not accepting floppy disks or executables from unknown sources.