March 2, 2004

NSIT plays doctor, tries to cure virus-laden e-mails

Students need to be extra vigilant this week to keep computer files safe from the hands of doom. MyDoom.F—a dangerous variant of the MyDoom virus that began circulating last month—burst onto the scene last Monday, continuing to pick up steam today.

MyDoom is among several viruses affecting Windows computers that rely on user error to circulate online. Barry Johnson of Residential Computing said problems begin when the user mistakenly opens a payload file sent via an e-mail apparently having been sent from a familiar source. This file then infects the computer, which begins aggressively sending virus-laden e-mail to all users in the computer's address history.

Johnson said this virus is worse than the one spread at the end of January because it contains a payload that can delete a user's files. "It is of much greater concern," he said.

Unlike earlier variants of MyDoom, the .F version does not have a "suicide date" that defines when it will stop spreading.

MyDoom fulfilled its intended purpose on February 1 by sending millions of e-mail messages to the Web site of the SCO Group—a company based in Utah—jamming its servers with traffic until they collapsed under the strain.

Other viruses have also been on the rise. Bagel.C was discovered on Friday, Bagel.D on Saturday, and Netsky.D on Monday. All of these worms primarily infect through e-mail attachments. They all use random subject and body text, and they all affect only the Windows operating system.

"The recent strains of viruses that have been attacking computers running the Microsoft Windows operating system at the University have been especially pernicious," said Colin McGrath of Network Services and Information Technology (NSIT). "The authors have become better at making the message containing the virus appear to be harmless. This has made them harder to detect and has allowed them to propagate more quickly than previous versions," he said.

McGrath also said the strains mutate so as not to be detected by anti-virus software for a given period of time.

"People continue to open attachments, which they should not do," McGrath said. "A person should always be suspicious of any attachment that they receive via e-mail. They should only open attachments that they are expecting to receive and should also verify that the sender sent the attachment by contacting that person directly."

David Choi, resident computer assistant at Hoover House in Max Palevsky East, agreed with McGrath. He said students simply should not open suspicious e-mail.

"The virus can only infect if you open the attachment file," Choi said. "Just be wary of e-mail with attachments, including attachments that come from people you know, as many of the virus e-mails sent come from addresses."

NSIT has installed anti-virus software on the mail servers, and, as of Monday morning, it caught about 1.4 million virus-laden messages. McGrath said NSIT is investigating software options to see if they can improve the situation further.

Like the other variants of MyDoom, .F contains a "back door," meaning the computer is vulnerable to outside "crackers."

Johnson said that back doors are used infrequently in these infections, but that they create potential for abuse.

"It is therefore imperative that the user resolve any infection promptly," Johnson said. "Most virus infections are preventable through user vigilance and proper updating of two primary tools: Windows Update and the University's freely licensed anti-virus programs."

"I would say that this new virus is different in that it has the strangest subject headings such as ‘Re: Approved' or ‘Love is' or ‘You use illegal File Sharing,'" Choi said.

Students who think they may have contracted the virus should check the University's webpage: