BIOS Virus Turns PCs into Paperweights

By MITCH WAGNER

Antivirus experts are warning users against an insidious new virus that can corrupt flash memory used to store a personal computer's BIOS, rendering the system unusable.

When the flash memory is corrupted, the PC can't be booted, which means the flash memory can't be reprogrammed in place. In many cases, users struck by the Win95/CIH virus will have to physically replace the flash memory chips on their motherboards--or for soldered chips, replace the entire motherboard--in order to repair the damage. That makes the virus very different from, and more harmful than, previous viruses which affect only hard disks and memory.

To protect against infection, experts urge users to obtain the latest updates of their antivirus software, such as Network Associates Inc.'s VirusScan, Symantec Corp.'s Norton AntiVirus and Dr Solomon's Inc.'s AntiVirus, which will detect and eliminate the virus before it strikes.

"On certain chip sets, the virus will flash the BIOS," said Shane Coursen, senior technology consultant for antivirus software vendor Dr Solomon's.

"Win95/CIH will make a machine completely, fundamentally, dead," said Nick FitzGerald, editor of U.K.-based Virus Bulletin magazine. "You turn the power on, and you hear the hard drive and fans spin up, but nothing else happens."

The Win95/CIH virus comes in several strains, one of which is set to go off on the 26th of every month. Fortunately, the 26th of July occurred on a Sunday, when few companies are open for business, so antivirus experts last week said damage was expected to be limited.

The virus attacks only Windows 95 and Windows 98 systems, not Windo ws NT. It also is hardware-specific, affecting some PCs and not others. Some boards can have their flash memory write-disabled, making them immune to the virus, FitzGerald said. Because systems vendors get their motherboards from a variety of sources, it's not easy to predict which vendors' PCs are susceptible to harm.

"We are certain that in certain configurations and a very small percentage of the time," the virus can rewrite the flash memory said Vincent Gullotto, manager of McAfee Labs for Network Associates.

In addition to the flash-memory damage, Win95/CIH carries a more conventional payload, which overwrites data on the boot records of a hard disk. FitzGerald said the damage done by Win95/CIH to computers worldwide is likely to be small. But he also admitted he can't say for sure.

"The virus doesn't seem to be horribly widespread," said Dave Chess, a virus researcher at IBM's Watson Research Center. "We've had no reports of damages to our customers from it."

Carey Nachenberg, chief viru s researcher at the Symantec Anti-Virus Research Center, said that Microsoft Office macro viruses are far more likely to be transmitted than a virus that infects executable code, like Win95/CIH.