Three viruses infect, slow down e-mail system on ISU campus

Ruth Neil

Slow Internet service and overflowing e-mail inboxes greeted students connecting to the campus network last week. The problems were created by three viruses.

Blaster (also called LovSan), Nachi (also called Welchia) and SoBig are the latest viruses circulating the Internet.

“The significance and impact of the Blaster and Nachi worms is beyond what we have seen before,” said Mike Bowman, assistant director at Academic Information Technologies (AIT). “The number of machines being affected is beyond what we have ever seen.”

A worms is a kind of virus that spread without the help of computer users, according to the Microsoft Web site, www.microsoft.com. After infecting one computer, the worm distributes copies of itself throughout the network.

“Essentially as soon as I plugged my computer into the network, I had the worm,” said Heath Munson, sophomore in liberal arts and sciences. AIT blocked his computer from the Internet for three days while he got the virus off his computer.

Munson had a hard time e-mailing AIT about the problem at first, because the worm caused his computer to reboot every five minutes.

“I had no idea what it was that was restarting my computer,” he said.

AIT helped Munson download the programs he needed to rid his computer of the worm.

“It was a bit of a nuisance, but because of the preparations of AIT in dealing with it, I was able to take care of it before it interfered with classes,” he said.

Munson used his experience to help keep other students on his floor in Larch from experiencing the same frustration he had.

“I didn’t want them to plug in their computers,” he said.

All three viruses take advantage of programming flaws in Microsoft Windows, Bowman said. Blaster and Nachi affect users of Windows NT, 2000 and XP. The SoBig virus affects all Windows platforms.

Computers are not vulnerable if users have installed the patch that addresses the flaw or are using Macintosh, OS/2, Unix or Linux systems, Bowman said.

However, the viruses slow down all network computers because they tie up networks searching for vulnerable computers to infect, he said.

“Both the Blaster worm and the Nachi worm create heavy network traffic,” Bowman said.

AIT blocked infected computers from Internet access as they were detected, but the problem was widespread as students were returning to campus.

Microsoft recognized the programming flaw and distributed the patch in Security Bulletin MS03-026 earlier this summer, according to Microsoft’s Web site. The Blaster worm, discovered Aug. 11, was created specifically to exploit the flaw in computers that did not have the patch downloaded and installed.

The Nachi worm is “supposed to be a good worm,” said Doug Jacobson, associate professor in electrical engineering and computer engineering. It finds computers without the patch, removes Blaster if present and installs the patch.

It’s supposed to be a good worm, but it’s not, he said.

“[Nachi] is a little worse for the network because it goes out and scans for computers,” Jacobson said. “It can generate a lot more traffic [than Blaster].”

He compared the situation Nachi created to what would happen with “every telemarketer in the country starting to dial every number in the country.”

While the Blaster and Nachi worms have slowed computers down, they don’t do much other damage.

“Some worms just get in to prove they can get in,” Jacobson said. “The writers of these worms have chosen not to be too destructive.”

Typical symptoms, such as systems rebooting or freezing, result from the worm using up memory trying to find other computers to infect, according to the Microsoft Web site. If the worms did more damage, they would not be spreading as quickly.

“The worm has to live long enough to propagate,” Jacobson said.

Once a computer is patched, it is safe from both worms.

“Until everyone gets the patch, it’s going to be persistent,” Jacobson said.

The third virus, the SoBig virus, requires some help from computer users to spread to other machines. It arrives in e-mail with subject lines such as “Re: Details” or “Thank you!” and doesn’t infect the computer unless the user opens the attachment.

“SoBig is different than Nachi and Blaster. SoBig is actually a totally different animal,” Jacobson said.

The creator of the SoBig virus programmed the virus to turn the machines it infects into mail servers, spamming everyone in the infected computer’s address book with virus e-mails, Bowman said.

On Wednesday, AIT detected and cleaned 76,000 e-mails containing viruses, Bowman said. The problem continued to increase, and 216,000 more e-mails containing viruses were detected and cleaned Thursday.

Most of the infected e-mails were infected with SoBig, Bowman said, but the numbers include all viruses.

Other e-mails may be valid despite being infected with a virus, so AIT delivers them with an addition to the subject line, “Virus detected and cleaned.”

“When [the cleaned e-mail] actually gets to your system, the virus is no longer there,” Bowman said. “We let the user decide if there’s anything of value in the e-mail.”

Iowa State has created an instructional Web site, www.public.iastate. edu/~virus/quick.html, to help students and faculty respond to this virus outbreak.