USU works on defense but still threatened by MyDoom virus effects

Danielle Hegsted

Utah State University is making steady progress toward coping with the MyDoom virus and its effects, but computer users should still be wary.

Bob Bayn, associate director for Network and Computing Services, said the best defense is keeping virus protection up to date.

Miles Johnson, network systems specialist, said the real danger is that the virus creates a back door, leaving an infected machine wide open. He said an infected machine could give a hacker a way to compromise university resources, credit card numbers, confidential information, attack others, and expose the university to possible responsibility for civil and criminal activity performed on their machines.

John Hanks, network systems specialist, added that an infected machine could also be used to bounce spam and make it look like it originated from USU.

Johnson said concern about the Denial of Service (DOS) attacks (which could overload servers) “is mostly a red herring” made to draw attention away from the fact that the infected computers are now vulnerable. He said that in many test situations, the Denial of Service attacks did not even work.

If the Denial of Service attacks do end up causing a problem, he said Network and Computer Services would block access to the IP address ranges at the border.

“But really, all this DOS will do is give away what machines are infected,” he said.

Bayn said many people within Network and Computing Services as well as network managers in the various departments have successfully dealt with infected computers and helped slow the spread of the virus.

Hanks said about 250,000 infected e-mail messages had gone through the mail scanner on Tuesday. On Wednesday, the number was around 120,000. He explained that the number was significantly less partly because USU had quit accepting mail from the outside world in order to give the scanner and the subsequent queue that delivers the messages time to sort through the vast amounts of mail.

This does not mean that people will not receive mail sent to them from off-campus, he said. It just means that it was delayed.

As of Thursday, USU was again periodically accepting mail from off-campus and was continuing to try and send it off-campus.

Johnson said one of the main problems with this particular outbreak was that “it became apparent that too many people were falling for this thing.”

He said some machines had become infected because people had clicked on the attachment.

“These … machines were in turn pumping more viruses than the server could handle,” Johnson said.

Matt Lorimer, USU Helpdesk consultant, said one of the reasons people might have been fooled was because the attachments sometimes looked like a common .doc or .html file. He said the virus would create a certain file, for example, “document.doc” and then insert enough spaces after the first part of the filename that a user might not see the real extension. So, the end result would look like document.doc (many spaces) .pif.

According to McAfee’s Web site, another reason people could be tricked was because the attachment might use a graphic that made it look like a harmless text file.

In addition, the virus uses forged e-mail addresses on the “from” line of its messages, and this is why some people received bounced messages that said a certain e-mail could not be delivered to a user that did not exist.

Bayn said there is a collection of almost 50 user names that were “preferentially forged.” The list contained common first names that were likely to be used as user names.

“Those whose user names were preferentially forged received an extra dose of bounced messages,” Bayn said.

In order to combat this, Network and Computing Services added some features to a collection of utilities they have designed to combat spam and viruses. These new features delete bounced messages and delete messages that have the same from and to line from a WebMail user’s account.

The features are available to any WebMail users by clicking on “Account Maintenance” and then “Cleanup Your Inbox” from webmail.usu.edu.

For additional information about the status of USU’s network and details about the virus, visit dd.usu.edu/netstatus.

Anyone who needs help on learning how to update his or her virus protection or clean up viruses from their inbox should contact the USU Helpdesk at 797-4358 or http://helpdesk.usu.edu.

-dhegsted@cc.usu.edu