CYBERWORMS AND VIRUSES, OH MY

By Вen Li

Call them the Boris and Natasha of cyberspace.

Two notorious computer viruses accosted University of Calgary computers last week. While the CodeRed worm tried and largely failed to infect web servers running Microsoft’s Internet Information Services server software, over 600 copies of the SirCam e-mail virus were sent and received per hour at the height of infection.

The SirCam virus, which infects computers running Microsoft Windows and sends users’ documents to random people in users’ address books, first appeared on the university servers around July 19.

"It generated a lot of processes on the server," said Manager of System Services Academic, Joseph Yip. "It slowed everything down so it was unusable." Yip added that the campus e-mail servers handle 400,000 to 1,000,000 e-mails per day.

According to Yip, all incoming e-mails containing the virus were enclosed in a wrapper starting Mon., July 23, warning users of the potential for infection. Despite this, the system was unable to keep up with the increased load.

"The decision to delete all infected e-mail was made just before noon on Tuesday the 24th," said Information Technology anti-virus consultant Jim Powlesland. "That pretty well solved the problem."

By then, however, the virus already had five days to spread and send e-mails containing potentially confidential documents.

nbsp;   Call them the Boris and Natasha of cyberspace.

Two notorious computer viruses accosted University of Calgary computers last week. While the CodeRed worm tried and largely failed to infect web servers running Microsoft’s Internet Information Services server software, over 600 copies of the SirCam e-mail virus were sent and received per hour at the height of infection.

The SirCam virus, which infects computers running Microsoft Windows and sends users’ documents to random people in users’ address books, first appeared on the university servers around July 19.

"It generated a lot of processes on the server," said Manager of System Services Academic, Joseph Yip. "It slowed everything down so it was unusable." Yip added that the campus e-mail servers handle 400,000 to 1,000,000 e-mails per day.

According to Yip, all incoming e-mails containing the virus were enclosed in a wrapper starting Mon., July 23, warning users of the potential for infection. Despite this, the system was unable to keep up with the increased load.

"The decision to delete all infected e-mail was made just before noon on Tuesday the 24th," said Information Technology anti-virus consultant Jim Powlesland. "That pretty well solved the problem."

By then, however, the virus already had five days to spread and send e-mails containing potentially confidential documents.

"I had one professor who was quite concerned about her confidential documents going out to other people," said Powlesland, who added that IT support staff have been inundated with calls and e-mail regarding the virus. "What these incidents have done is make us realize that better software is needed at the gateway [to our network]."

While IT has deployed updated anti-virus software to detect and remove SirCam, computers without the updates and e-mail not hosted on the university mail servers may still be infected.

Shortly after the initial round of SirCam infections, the university was hit by CodeRed, an Internet worm that spreads among IIS servers and defaces them. CodeRed first appeared on the Internet and on campus on July 19, and was set to activate its payload on July 31. SirCam was created to bombard a US White House Web site with useless data, potentially congesting Internet connections across the globe.

"I don’t know that it had much of an effect on campus," said U of C Information Technologies Manager of Network Services Tom Seto. "[July 31] was a non-event. We didn’t even notice a traffic increase."

Over the last two weeks, IT mitigated virtually all the potential damage inflicted by CodeRed by scanning for infected systems and advising administrators to patch their IIS software to prevent infection.

"As of Tuesday, of the about 120 IIS machines on campus, half were patched, 12 or so were suspect, we had no information on about 30, and four were not patched," said Seto. "As of Wednesday morning, there were nine infected machines. The bottom line is that all the server administrators did their jobs in patching it up."

To protect against future viruses or to remove existing viruses, IT recommends downloading and updating free anti-virus software from http://www.ucalgary.ca/it/virus/

Leave a comment