The Observer is a student-run, daily print & online newspaper serving Notre Dame, Saint Mary's & Holy Cross. Learn about us.



Viruses infect Windows Systems

Sarah Vabulas | Monday, April 5, 2004

Throughout the past few weeks, viruses new and old have continuously spread across the Internet all over the world. These viruses are bringing down entire networks at a time, including Notre Dame and Saint Mary’s, causing frustration and anxiety for both the computer savvy and the not-so-computer savvy alike.

On Aug. 11, Microsoft began investigating a worm reported by Microsoft Product Support Services, a service developed to keep Microsoft and its programmers in touch with users and the problems that most commonly occur due to holes left in the programming of software. This worm became known as the Blaster Worm, and made headline news, scaring many Windows users. Later a variant of Blaster began to circulate through the Web in a similar way, becoming known as the Nachi Worm.

These two viruses exploit a security issue that was addressed by Microsoft in Security Bulletin MS03-026. This issue concerns a vulnerability in the Remote Procedure Call (RPC), a function in the script that makes Windows 2000, Windows XP Professional and Home editions. Microsoft announced the problem and released a patch for the hole so that users could beat the virus before it even began to spread. However, this required people to update their computers using a Microsoft Web site called Windows Update, and not all users heard about the patch, or simply chose to ignore the download.

The Blaster Worm, or W32.Blaster.Worm, locates the IP address of a computer, or essentially the social security number of any computer that has ever surfed the web, and infects it. Whenever a computer logs onto an Internet Service Provider, or an ISP, it is issued an IP address that can be found from anywhere in the world to identify where the computer is located and where on the web it visits. By simply being logged onto a network, a computer can be located and infected. Blaster is not earned, and the only way to keep it from infecting a computer is to make sure the patch has been downloaded onto the computer, closing the hole in the code yielding the file worthless.

Symptoms of the virus include a warning message of having about thirty seconds to shut down all programs before the computer restarts, the computer simply restarting, or having a program called msblast.exe found running in the Processes tab of Windows Task Manager, a program opened by pressing the keys control/alt/delete simultaneously.

The viruses infect the following Microsoft products run on personal computers, or PCs: Microsoft Windows NT 4.0, Microsoft Windows 2000, Microsoft Windows XP Professional and Home Editions, and Microsoft Windows Server 2003. Users of Windows Millennium (Windows Me), Windows 98, Windows 98 Second Edition (SE), and Windows 95 were not affected by the issue. However, these products are no longer supported. Users of these products are strongly encouraged to upgrade to later versions.

During scans on the evening of Aug. 25, the director of student computing at Saint Mary’s, Kathy Hausmann, discovered about 30 computers belonging to students that had not been patched despite incessant efforts by Information Technology to download the free patch, and was able to positively identify the owners of 21 computers. ResNet downloaded a tool, which was recommended on the national ResNet listserv, to scan the subnets in ResNet for computers running Windows 2000 or Windows XP that had not been patched. Many schools and other organizations with large networks are doing much the same to track who can send the virus to other users.

In an e-mail to employees of IT, Hausmann said she would send the students an e-mail message she drafted explaining that their computer has not been patched, their computer needs to be patched for without the patch their computer is most likely infected, and that if they are infected, they are contributing to the network problems Saint Mary’s is having on campus. She is also including the instructions for cleaning the virus, while directing them to Fixit, a service of ResNet for students who are having computer problems, if they find it difficult to install the patch. The Web address for Fixit is fixit.saintmarys.edu. If deemed appropriate, a Residential Computer Consultant, or an RCC, will be dispatched to aid the student in fixing the problem. But before posting a problem report form, students should attempt to resolve the problem on their own with the directions provided in an email sent out last week and on a webpage made specifically to aid students in the removal of the worm found from the ResNet page at the Saint Mary’s home page.

Microsoft provides the patch found on the front page of the Microsoft main site, along with further information for users who are more interested in what exactly the virus targets. Along with a detailed, technical description, Microsoft published directions on how to scan a computer to find the virus, how to remove it if found, and how to prevent the computer from receiving viruses of the similar characteristics from making it into the file system of a PC.

These directions include installation of virus scanning software, implementing a firewall, or a way to prevent traffic that is for the most part unwanted and potentially harmful to the computer and/or network, ensuring that a computer remains updated on virus protection files to protect it in the future, and finally, removing the infected files from the computer.

To update the Windows operating system with all necessary files, visit the Microsoft Windows Update website via the main address: http://v4.windowsupdate.microsoft.com/en/default.asp.

Most viruses are sent through rouge emails, ones that users don’t even realize are sent from their computers and email accounts to addresses of people found in address books and the cache of a computer’s temporary Internet file folder.

The latest of these type of emails is called SoBig.F, a virus designed to bring down the Internet as a whole with sending so many emails out a one time, that networks and servers crash all over the world. SoBig.F is part of a series of viruses known as SoBig; SoBig.G is expected to come out in the next few weeks, but computer programmers are already working to overcome the virus before its release in order to prevent a disastrous situation.

Much to the chagrin of Apple Corporation, there are no known viruses made for Macintosh’s most recent operating system, Mac OS X. Each time a new virus is announced, Apple uses it as an advertising campaign for PC users to switch to Macs. Macs tend to have a more stable operating system, but despite this, more users choose to stick with PCs when purchasing new computers.

Viruses like Blaster, Nachi and SoBig are merely examples of viruses that make their way onto the Web on a daily basis, infecting millions, while even managing to puncture through new security features in the newest operating systerms. With advances in technology, the race to design the best virus continues, as well as efforts to bring down large corporations merely for the amusement of the people who wrote the program.

Viruses are an everyday part of computing, but ways to cope and prevent viruses do exist. Users should become more responsible and knowledgeable in order to prevent the hassles that come along with owning an infected file on a network.

Contact Sarah Vabulas at [email protected]