NEWS

  /  

March 5, 2004

New breed of viruses infect inboxes

Another virus mailed itself to uchicago.edu inboxes last Tuesday, warning recipients that e-mail capabilities would be shut down unless they downloaded and ran an attachment. Named "Beagle.J" or "Bagel.J," the virus poses only a medium-level threat, according to various computer-security companies.

Following the spread of the virus, Network Services and Information Technology (NSIT) sent an e-mail to all students warning them of e-mails that purport to be from addresses such as "staff@uchicago.edu," "noreply@uchicago.edu" or "support@uchicago.edu."

NSIT e-mailed students about Bagel.J because it relies on curiosity to achieve its goal of infecting as many computers as possible, according to NSIT's security advice site, safecomputing.uchicago.edu.

"Instead of relying on security holes in the target's operating system or software, these viruses rely on social engineering to infect systems. Social engineering is a method of bypassing secure systems by appealing to aspects of human nature like curiosity instead of a technical flaw in the system," the website reads.

When the virus "Blaster" was released at the beginning of last fall quarter, NSIT responded by sending a student dressed in a worm suit to the RSO fair. The worm handed out copies of compact discs to "de-worm" computers.

But Jason Edelstein, RCA of Broadview Hall, said that such tactics would not work against a worm like Bagel.J, similar in its method of infection to "MyDoom.F" and "Netsky."

"Blaster was an example of a truly threatening virus, as it was self-replicating and relied on a flaw that did not require user intervention," Edelstein said. "That's why we went all-out with the de-worming discs and really hammered it into people's heads—and required the computers to be formatted."

Within a day of the release of Bagel.J, infection rates dropped across both the University's and the outside world's servers. Edelstein said that common sense slowed the flow of Bagel.J across the University's network.

"The virus e-mails are poorly spelled, they do not look like the official security e-mails, and they contain a flagrantly suspicious attachment," Edelstein said. These factors contributed to a relatively low infection rate across the University network.

Bagel.J is a worm, using victims' e-mail address books to copy and send itself across the Internet. The first variant of Bagel, Bagel.A, was discovered January 18. It did not use an interesting message line to encourage people to open its "payload," the attachment on the e-mail containing the actual virus. Until Bagel.J, the subjects of Bagel-carrying e-mails contained phrases such as "Hi," "Weeeeee! ;)))," or "Price list."

Bagel.J's innovation is that it appeals to recipients' emotions. "Some viruses employ preying on people's fears or ignorance as a way of doing their damage," said Ambrose Cohen, distributed systems manager of Social Sciences Division Computing. "Usually it's more a tool of a hacker, but this time a virus used it."

Bagel.J compromises an infected computer's security by opening a "backdoor," or a port through which hackers can access the computer and use it to send mass e-mails to other computers. This renders it nearly impossible to discover the whereabouts of the hacker. Bagel.J also copies itself into folders that contain the letters "shar" in their name. Programs such as Kazaa and Limewire use these folders, making it possible for the virus to be spread over these file-sharing programs.