Viruses worm way onto campus

The EMU computer network has survived the latest wave of viruses that paralyzed other institutions, but Information Systems says more are sure to come.

Many students in recent weeks have been surprised to discover their network connections disabled by IS to help control the spread of several harmful viruses on the EMU network. Some 40 students have had their ports turned off since IS first noticed the viruses while performing some work on Sept. 9.

"We were building a computer for one of our projects and before we could complete the installation of Windows XP and apply the patches, it was being infected with the viruses," said Jack Rutt, Director of Information Systems. "We began scanning the network with a sniffer tool to determine the source of the problem."

The cause was several dozen student computers infected with the Blaster and Nachi-A worms. Unlike ordi-nary viruses, worms don't require a medium like e-mail or floppy disk to transmit them-selves. They spread through open ports and network door-ways into computer systems necessary for communication with the outside world. In finding other computers to infect, they create a high volume of network traffic - in some in-stances enough to bring the entire network to its knees.

"We fared really well, mostly thanks to our network capacity," said Rutt. "The gigabit connections handled the extra load that left some schools flat on their backs."

Because of the high threat the national virus outbreak posed, other universities had to take more drastic action. George Mason University in northern Virginia disconnected all 3,600 students until technicians could check each computer and apply the appropriate fix. Massachusetts Institute of Technology, in an extreme attempt to control the worm, required students with infected computers to format their hard drives and reinstall the operating system. Many used the opportunity to install a non-Microsoft operating system such as Linux.

Blaster and similar worms only affect computers running Microsoft Window XP or 2000, which by default have the Remote Procedure Call (RPC) service active and listening on port 135. Since all but a few faculty and staff PCs run Windows 98, they were minimally impacted. The majority of students, however, either purchased computers with XP or upgraded to it and are therefore at risk.

Rutt says IS took steps when checking-in student computers to prevent this sort of outbreak but could have done more. "We loaded Sophos on every new student computer and scanned it for viruses, but, regrettably, we didn't install the Microsoft patches at that time."

Returning students were not required to bring their computers in to be checked. Rutt speculates that several returning students unknowingly brought the virus from home. Once connected to the network, these infected PCs began scanning for other hosts to infect, including those previously scanned by IS but still vulnerable.

Drew Foderaro, a junior, had his computer infected twice - once by Nachi-A and later the same day by a variant, Welchia. "They shut off my port in the morning so I took my computer in to be fixed. It worked when I brought it back but in a few hours they shut it off again."

Foderaro is grateful IS re-moved the virus for free - some schools are charging virus fine - but wishes the process would have been easier. "I could fairly easily apply the patch if they gave me the CD but instead I had to walk it all the way down to IS. They could make it easier on students, especially since it's not their own fault. It's a big inconvenience to not have a computer for several days"

Information Systems reports that the virus repair is an involved process that took their User Services Group about half an hour to repair each of the 40-odd infected computers. "They put in a lot of overtime," Rutt said. "It was really intense Wednesday through Friday. By then we had most of it under control."

Rutt expects this round of viruses is just the first of many. "We're just waiting for the next one. Now we have filters on the routers that put a barrier between the residence hall computers and the rest of the computers on campus to keep certain viruses away from the faculty, staff, and computer lab computers."

Sunday, a new virus known as Swen or Gibe.F was detected that spreads by e-mail or Kazaa and claims to be a cumulative patch from Microsoft to repair XP's RPC vulnerabilities. When run, it attempts to disable firewall and antivirus software, gathers password information, and then sends itself to others. Users should be aware that Microsoft never distributes patches via e-mail.

To download and install the latest patches directly from Microsoft, IS recommends all students running Windows visit www.windowsupdate.com, especially if running Windows XP. Additionally, XP users can configure the operating system to update itself automatically. All users should be sure they have virus protection and that it is updated regularly.

Students who need help with these tasks are encouraged to call the helpdesk at extension 4357. The latest EMU virus advisories can be found at www.emu.edu/is/virus.