The worst computer virus epidemic in the brief history of the technological age has swept across campus and the nation since Monday, flooding inboxes with infected e-mails and bringing e-mail systems to a virtual standstill.
Known as MyDoom, the virus spreads through e-mail and Kazaa and will cause infected computers to attack the main web pages of Microsoft and the SCO Web Group on February 1.
MyDoom is a worm, or a program that replicates itself from one computer to another, compromising each computer’s security. When the worm infects a PC running Windows, it installs a “back door” that allows hackers to control the computer remotely. The back door also allows hackers to route their internet connections through the infected computers, hiding the source of an attack.
Network Services and Information Technology (NSIT) responded to the threat on Tuesday by taking infected computers off the campus network and posting software on their support page that “de-worms” an infected computer. NSIT is also blocking e-mail attachments that are likely to carry the virus.
Barry Johnson, the manager of information systems for residence halls and commons, said the infection does little damage and is relatively easy for the user to clean. Still, Johnson said students should be concerned about infection from the virus because “they may be held accountable for their computer’s use.”
Because the virus does not make itself immediately apparent to infected users, many students first discover the virus when Johnson’s staff e-mails them or NSIT closes their internet connection.
Johnson is encouraged that the rate of infection on campus seems to have already peaked at 5 to 10 percent infection rate in the residence halls. “I read this as a sign that users are learning not to open e-mail attachments without the certainty of the contents,” Johnson said.
Ian Sefferman, a second-year in the College and the web designer of www.iseff.com, said that the University community might lack enough awareness of the virus to protect itself from infection. “NSIT is displaying the information correctly on the website, but they’re not getting the information to the students correctly. I feel like NSIT could send out more e-mails more regularly to alert students,” Sefferman said.
Gerald Doyle, a resident head for Broadview and associate director in the Office of College Admissions, said that e-mails are not enough to effectively warn the student body. He suggested posting signs around elevators and mailrooms to increase student awareness in housing. “The costs of putting up eight signs are not very great. The cost for someone to de-bug their computer is great,” Doyle said.
Though the rate of campus infections is decreasing, MyDoom will not be forgotten soon. The sheer size and swiftness of the attack, coupled with the fallout of infected computers continuing to attack company websites, could mean that the effects of MyDoom will last for months or years, according to news.com.
News.com.com reported that internet-monitoring firm Keynote said overall internet performance speed dipped by 8 or 10 percent of its normal capacity on Tuesday, when the first wave of MyDoom was at its peak. E-mail service provider MessageLabs estimates that one in every 12 e-mails sent through the Internet late Monday and Tuesday contained the MyDoom virus. The second most prevalent e-mail virus, known as SoBig.F, was carried in one out of 17 e-mails during its peak last fall quarter.
As the virus began to circulate last Monday, another variant, dubbed MyDoom.B, began to spread through the internet. Antivirus experts said that the second version is spreading through the back doors created by the first. While MyDoom.A will attack only SCO, the second variant is aimed at Microsoft’s web site. It blocks infected computers from accessing a list of 65 computer security web sites where they can download anti-virus software.
SCO has offered $250,000 to anyone with information leading to the arrest of those responsible for MyDoom. Darl McBride, president and CEO of SCO, said in a statement that this activity was a crime harming not just SCO, but organizations and companies around the world.
According to news.com.com, many believe that supporters of Linux, an open-source operating system and a popular alternative to the Windows operating system, orchestrated this and previous non-virus attacks against SCO’s website. SCO recently claimed that key parts of the Linux operating system are covered by its Unix copyrights.
Microsoft was slow to place its own bounty on the MyDoom author. In early November, Microsoft offered $5 million to reward information leading to the conviction of virus writers. Microsoft also offered two $250,000 rewards for information leading to the apprehension of the individuals or groups who created Sobig.F and the MSBlast attack from last summer.
Though the FBI says that current rewards have given them leads, companies usually have little success with catching virus authors. At first Microsoft did not offer a bounty for the MyDoom virus, explaining that it was too early to make a decision. However, after examining the second variant of the virus launched Wednesday, Microsoft determined it sufficiently malicious to warrant a bounty, according to news.com.com.
News.com.com reported that Microsoft is experienced at dodging the kind of denial-of-service attack that MyDoom will begin propagating on February 1. When MSBlast attempted to bring down windowsupdate.com, Microsoft sidestepped the attacks by removing the target addresses from the Internet’s domain names service.
But according to the online version of the technology magazine Wired, Keynote analysts say Microsoft and SCO can do little to stave off this attack besides hoping that individual users purge their computers of MyDoom. Starting on February 1, each of the thousands of infected computers will send requests to the companies’ front pages at the rate of one per second, presumably overwhelming the servers and making the sites inaccessible.
On February 12, the denial of service attacks will abruptly stop, though the back doors in infected computers will remain open indefinitely.
The messages carrying MyDoom commonly have the subject lines “hello,” “hi,” “test,” or “Mail Delivery System.” When opened the message often reads: “The message contains Unicode characters and has been sent as a binary attachment,” encouraging curious users to open the attachment.
When opened, the virus opens Windows’ Notepad and fills it with random data. After combing the computer for e-mail addresses, it e-mails itself out to other users.
If the user has Kazaa, the virus then copies itself into the folder where users store shared files. On the Kazaa download directory, the virus is disguised as “Winamp5,” “icq2004-final,” “Activation_Crack,” “Strip-gril-2.0bdcom_patches,” “RootkitXP,” “Officecrack,” and “Nuke2004.”
Students can learn about safeguarding their computers and download anti-virus software at support.uchicago.edu or safecomputing.uchicago.edu.