OIT acts to stop computer viruses

OIT has nearly contained several computer viruses that attacked University computers this summer, causing some confusion in the process.

Three thousand CDs containing software to check for, remove and protect against the three most common worms have been distributed to students. In addition, computers that registered unusual activity were automatically disconnected from the network to prevent them from infecting other computers.

As many as 500 student machines had been blocked from the network at any given point, and about 200 were blocked yesterday afternoon, said Dan Oberst, director of enterprise infrastructure services at OIT.

The Stealther, Blaster and Welchia worms, which first surfaced in early August, exploit a vulnerability in the way Microsoft Windows 2000 and XP connect to other computers to send data. Worms are particularly dangerous because unlike other types of viruses, they spread to other computers on their own, often through the Internet.

"It was so widespread," Oberst said, "that if your computer didn't have the patch and you plugged it into the network, it would be infected in a minute."

By overwriting a program that the operating system normally runs, the worms trick the computer into executing a different program. Once this "Trojan horse" has infiltrated the system, it can wreak havoc in any number of ways, including deleting files or sending email.

The worms spread by locating other computers on the network to connect to and infect.

"That sends data to every computer on the network, as well as many computers that don't exist," Oberst explained. "It slows down the network."

Microsoft wrote a patch to correct an existing problem in their software that allowed worms to infect Windows systems, but those who have not installed the update are still at risk.

Over the summer, the trio of worms spread to thousands of administrative, departmental and personal computers on the University network, requiring OIT staff to manually disinfect or patch each machine. At one point, the University's dialup service was nearly unusable because of the traffic.

Concerned about the massive influx of computers – not all of them patched – that would occur when students arrived on campus, OIT convened a "war council" several weeks ago to discuss how to stop the worm from spreading.

The group decided that writing a standard CD for all students to run before hooking their computers to the network would minimize confusion. The CD, which OIT has shared with other universities, removes the worms and applies the security patch.

Get the best of the ‘Prince’ delivered straight to your inbox. Subscribe now »

OIT also monitored network activity and blocked infected computers, informing students via email that their access would be restored after the worm's removal.

Since the blocked students could not log on to check their email, however, some did not realize what had happened and simply assumed that the network connections in their room were not working properly.

The problem was compounded by the fact that the worms sometimes appear harmless, leaving infected computers fully functional while spreading to other computers.

Anna Thoman '05 said she had run the CD twice but was still blocked from the network. "My computer's working fine," she said. "I don't think I have a virus."

But some of the worms were more disruptive. Tony Vita '06 brought his laptop into the OIT Solutions Center in Frist for assistance because he could not run basic applications such as Microsoft Word.

"I'm thoroughly disappointed by the long wait," said Vita, who had been sitting near the door for nearly two hours. "It's a beautiful day, and I don't want to be waiting here."

He added, however, that the Solutions Center, which just opened this year, was much more convenient than having to visit the OIT building on Prospect Avenue.

OIT expected the number of students blocked from the network to tail-off shortly. RCCs and OIT staff visited rooms last night to offer help to students who were still experiencing problems.

"We were prepared to have to throw a lot of staff at solving the problem, and even that the network might be unusable for some period," Oberst said. He credited the relatively minimal damage to "a lot of planning ahead of time and having a lot of contingencies to deal with it."

Over the summer, the University was also hit by the Sobig.F virus, which spread as an email attachment. The emails appeared to be from a number of sources, including within the Princeton community, and enticed recipients to open the attachment with subjects like "Re: Details" and "Re: Wicked Screensaver."

Once downloaded, the virus installed software capable of spreading information on infected computers, causing some to malfunction. Sobig.F replicated itself by hijacking address books, generating huge quantities of emails that tied up the University's network.

A campus-wide email was immediately sent to warn against opening such attachments. OIT then removed the virus from affected computers and updated its email system to automatically delete messages with the attachment.

The Sobig.F virus was completely shut down within two days, according to an OIT report.