The Office of Information Technology issued a computer virus warning to Windows 95/98 users on the Williams College campus on November 20. The virus, called Win95.CIH, affects users of Microsoft’s Windows95 or 98 programs, but not Windows NT.
According to Seth Rogers, the desktop support specialist at the Office of Information Technology, the virus lies dormant within a computer’s components until the 26th of any month, when it becomes active and destroys the computer’s hard drive and other systems.
“We suspect many student machines are infected. We know of six cases for sure,” said Rogers.
According to Chief Technology Officer Perry Hanson, Win95.CIH is a very dangerous virus. “This virus is more serious than other viruses because it can lead to very expensive hardware repairs,” Hanson said. “It is on campus now and for the most part being caught in a timely manner.”
The CIH virus, which originated in southeast Asia, has already affected many computers on campus, including computers in administration offices. At the time the warning was issued, the virus had been detected and reported to OIT more than 110 times, each time it tried to upload itself to the Jesup servers. Reports of more cases of the virus are expected in coming days. In order to prevent the virus from destroying more computers, the Office of Information Technology posted directions on how to install an anti-virus program from the Williams network.
“This can render your entire motherboard useless,” Geraldine Shen ’01 complained. “My computer is infected badly with the stupid virus.” Shen found her computer was infected when an Student Technology Consultant (STC), Nathan Foster ’01, told her to visit http://housecall.antivirus.com/. Housecall allows users to check their computers for viruses over the web.
“The recommended method for determining whether the virus is present on a computer is to download f-prot version 4.52 from the NetWare Application Launcher,” Rogers said. “Running this virus checker on an uninfected machine will turn up no viruses. Running this on an infected machine will actually infect the f-prot.exe but will indicate whether the machine is infected.”
According to information available on the Symantec webpage, the CIH virus works by attaching itself to unused space in files on the computer. When those files are opened, the virus infects the computer’s memory, in turn infecting any other files opened on the computer. The virus works by modifying software such as FlashBIOS, which regulates data flow within the computer’s systems, and can even prevent the computer from being turned on.
“The CIH virus is for real,” Rogers said. “If left untreated it can make the motherboard of a computer unusable by rewriting the data on the BIOS chip. It affects Windows machines, although it can infect Macs running Virtual PC.”
Computer viruses consist of program codes that may alter pieces of a computer’s operating system. They can breach security, erase files, and destroy data. These computer “infections” were dubbed viruses because they are capable of self-propagation. Once a virus has been released into a computer’s operating system, it is capable of recreating itself, infecting more parts of the computer and causing further damage.
Hanson said, “We find and deal with dozens of viruses every day, but can’t handle ones that folks download directly from the Internet to their personal computers. Most of the problems come from such downloads.”
Two of the best ways to prevent and deal with infection by a computer virus are backing up files regularly and installing a good anti-virus program.
“When I hear ‘virus’, I think ‘do I have a good backup?’ and ‘is my virus scanner up to date?’,” said Hanson.
Hanson said in order to protect a computer from infection by a virus, it is important to have a reliable anti-virus program installed. Anti-virus programs are available from a large number of companies, most of which have websites offering free sample software downloads. A good anti-virus program can be regularly updated via the web, and will prevent viruses from infecting a computer’s components by inoculating the computer system against them.
“Virus scanners are programs that scan for ‘virus signatures.’ These programs identify a virus by matching its ‘signature’ or uniqueness with a virus definition file. Whenever a new virus is discovered, the virus definition database is updated,” said Hanson.
The Office of Information Technology has a license for Windows 95 that allows faculty, staff, and students to install Command’s F-Prot anti-virus program. The name of the virus program is “Command AntiVirus 4.52.” F-prot.exe is the file that does the checking when command 4.52 is run.
“The version number is the important part. We want everybody to have the latest,” said Rogers.
He added that the Command anti-virus program can be installed from the network and that workers at Jesup are available for help with program installation or questions on virus infection.
Even Foster, an STC at Jesup, discovered the CIH virus on his system. He categorized the virus as being malicious enough to wreck an entire computer beyond recovery. “The only fixes that I’ve heard [if the virus executes] are to replace the actual BIOS chip or replace the motherboard.”
Hanson said infection with a computer virus can be a very frustrating experience. Often, the computer’s hard drive becomes completely unusable, rendering files inaccessible. This can mean years of work obliterated in an instant, unless the files were backed up. Backing up a file can be as simple as saving documents to a disk as well as to the computer’s hard drive. Files can also be saved to Novell NetWare file space.
“Linked to serious virus problem is backup. The problem is that many folks don’t have good backups, so when hardware problems arise or when a virus sticks it ugly head in recovery can be a nightmare,” said Hanson.
“I routinely put my files on a NetWare server and put copies on a floppy,” he added. “One of Murphy’s Laws is that ‘whatever can go wrong will go wrong.’ ”
According to Hanson, the danger comes not from the network directly, but from files and attachments passed along over the network.
“A computer can be infected over a network like ours, but our network is not the problemâ€”it’s just carrying the bits from the outside world to someone’s computer,” he said.
Although files on the network servers are scanned three different ways and at different times, an infected file can still get passed along via the network.
“If you copy a file from the Internet (somewhere else in the world) to your personal computer directly, a virus may be hidden in or be part of the file,” Hanson said. “It can also come in as an attachment to an emailâ€”someone sends you a file as an attachment and the attachment is already infected. It gets passed on to you. We recommend saving the file to disk and making sure that you have a virus scanner running before you open or execute it.”
“The most likely method of infection is through downloading applications off of the Internet. No files on the Williams network are infected. If an infected file is uploaded to Achilles, it is quarantined immediately,” said Rogers.
The following is a list of URL’s compiled by Mark Berman, Network and Systems Director, of sites with general information on viruses: