2nd May 1999
Who or what was behind the computer bomb?
By Frederica Jansz
Thirteen years ago, on April 26, Chernobyl exploded. The consequences were devastating as the nuclear power plant spread radioactive rays affecting tens of thousands in Ukraine.
Similarly the fiercely destructive Chernobyl virus which hit Sri Lanka last Monday April 26, paralyzed systems and damaged Personal Computers beyond repair while many machines sat brain-dead.
As the dreaded time bomb had remained dormant in some computers for months, it spread zillions of firepower when it activated on Monday causing disaster worldwide.
The bad news is that this virus version CIH 1.2 and 1.3 which activated last Monday is not the end of the nightmare.
According to Network Associates version 1.4 of this feared saga will activate on the 26th of every month.
Speculation was rife globally as the computer hacker and instigator of this vile scheme was sought.
Computer hacking in the United States and most other countries is a felony. It is believed that some 300 viruses are generated monthly by computer hackers and enter network systems.
Images of mostly young but brilliant IT addicts sitting in front of their PCs, their faces twisted in anticipation, as they keep asking questions and inputting commands over and over and over, trying to break into computer systems and recover confidential information, were conjured up last week as world authorities looked for the destroyer believed to be responsible for this dastardly act.
As the disease spread like wildfire globally, some 150 computers were hit by the Chernobyl virus in Singapore which infected entire networks including the Television Corporation of Singapore. Turkey and South Korea each reported 300,000 computers damaged on Monday while some 10,000 computers in the United States were affected.
The virus spread its microbes infecting hundreds of computers in Sri Lanka and hitting some key organizations.
DHL lost 15 computers, Forbes Tea Department three, and NIIT, an Information Technology firm lost five machines. The total damage to personal computers cannot yet be estimated.
Prof. V.K. Samaranayake, Chairman of the Computer and Information Technology Council of Sri Lanka, (CITEC) told The Sunday Times that at least 250 computers completely lost their memory as a result of the virus.
He said the 1.2 version of this virus which hit the world last week was particularly damaging because it kept a computer from starting up by infecting the software on which all PC programmes depended.
The basic input and output system (BIOS) was damaged including the hard drives of computers. He said the downside of this global village in Information Technology was that viruses had been threatening computer systems ever since the advent of the PCs two decades ago.
The transmission of a virus to a computer occurs through the internet and e-mail, illegal copies of software and floppies.
The Sunday Times probe will detail today piracy of software, a common practice by many PC users in Sri Lanka.
Known as W32. CIH. 'Spacefiller' the virus originated in Taiwan and has been tracked down to a computer engineering student from The Tatung Institute of Technology. Chen Ing-Hau according to the Dean of this college wrote the fatal virus programme last April.
He did not come up with an anti-virus program.
Chen was punished by his college and given a demerit but not expelled.
The Bureau of Criminal Investigations in Taiwan will seek to question Chen who now serves in Taiwan's military service.
Hundreds of Sri Lankans were stunned and panic ridden last Monday when they opened their computers and found blank screens; the memory of their entire hard disk gone.
According to the Anti-Virus Emergency Team (A.V.E.R.T.) at Network Associates, the Chernobyl virus infects Windows 95 and 98 executable files and will quickly infect all the files of this type it can find.
When an infected file is run, the virus becomes memory resident.
It will then infect other files when they are copied or opened.
Infected files will be the same size as the original file because of the unique infection techniques used, so this makes the virus difficult to detect.
The virus will first look for empty spaces in the file, then it will break itself up into small fragments and hide in the file. The virus has two payloads. First it will overwrite or delete information on the hard drive by using direct disk-writes cells, bypassing BIOS virus protection, while overwriting the motherboard and boot section.
The second payload has the ability to overwrite certain flash BIOS chipsets on some machines from a 486 through a Pentium II, which have flash BIOS. Some computers have a jumper on the motherboard which acts as hardware write protection.
Some machines also have a DIP switch, which allows the flashing BIOS to be disabled.
There are some newer computers that cannot be protected by the switch and therefore are vulnerable to the virus.
If this payload executes it will leave the PC inoperable unless the BIOS is restored or replaced.
Wild rumours prevailed last week as customers raged at their dealers who were equally confused as to what really had happened.
As PC owners were advised to purchase the latest version of Dr. Solomon's Anti-Virus Toolkit, which would act as a protection and also help detect the virus, sales soared for Mcafee the sole distributors for Dr. Solomon anti- virus packages. As a result, suspicion arose on whether this virus could have been spread by a company that manufactures anti-virus scanners in a bid to promote lucrative sales.
At least four computer vendors who did not wish to be identified said they suspected the virus originated from a particular company."
Mahesh De Silva, Product Manager of Computerland, the local agents for Dr. Solomon told The Sunday Times that within a space of four days the market demand for anti-virus scanners soared by as much as fifty percent. John Keells Software Technology by Thursday April 29, placed an order for virus scanners from Computerland to the tune of over Rs. 200,000.
Suresh Perera, General Manager, Wetherby Training Services (Lanka) Ltd, said this virus had been lying around for the past six months. He said the damage to computers was critical with no repair.
While in some cases the entire configuration of the computer had to be rewritten, in others he said the whole motherboard needed to be replaced which costs Rs. 8,000 to 10,000.
Many IT specialists were concerned that in Sri Lanka there exists no competent authority who would monitor and maintain a record of such impending disasters, thus enabling the public to be better prepared the next time around.
Mr. Perera said that while anti-virus scanners were a must in any computer, the problem with these guards was they need to be updated every six months. He said if original software was used and programmes was not pirated this too would act as a deterrent against devastating viruses. He claimed that Sri Lanka was flooded with pirated software.
The most common method of selling pirated programmes locally is to secure a copy of any software, make duplicates and sell it to others.
The practice is so common that most Sri Lankans are hardly aware or do not care that it is illegal.
Hard pressed for cash in many instances, it is a common practice in Asia particularly to buy software over the counter without bothering to install the original product.
Many Sri Lankans who own PCs are on friendly terms with their seller, so much so, that in most instances as a customer the software copy is given free of charge! After all only the original manufacture stands to lose in this game of wheeler dealing. (see box).
Meanwhile Nishantha Abeywardena, Customer Support Manager at Lanka Internet said the phone lines to their 24 hour help desk were clogged from about 1.The absence of legal controls to curb piracy has resulted in some manufacturers devising foolproof mechanisms.
From using password protection as well as introducing hidden viruses, which would cause an entire system to crash when introduced into the computer, some even utilized the internet to locate unauthorized running of their software. on Monday till 8 p.m. that night, with desperate, confused and panicking customers seeking help for PCs that had just gone on the blink.
He said more than 30 customers had machines that got messed up. He said any form of "physical contact" a computer might have with the outside world would invite the virus into its hard disk.
The most common method of catching the plague is through the e-mail and internet when dialling out through a phone line and while down loading file attachments. "It is like a chain letter," Mr. Abeywardena said. "The CIH virus when activated will trigger off chain reactions that cannot be controlled."
The sole method of protection is to have the very latest updated virus guard version running on your machine and buy original software instead of pirated copies, he said.
Computer users who are unsure whether their systems maybe carrying the CIH virus should contact their provider for solutions on anti-virus systems, and should not accept floppy disks or executables from unknown sources, he said.
One Microsoft representative has told reporters that the software company's products had no particular vulnerabilities to the CIH virus, and updated versions of Windows-based anti-virus software should keep Windows clean of it.
Please send your comments and suggestions on this web site to