Page One

Campus Computing News

Renew PRAS Accounts for the Summer

Need Statistics for Your Website?

Save a Tree. . . E-mail Your Homework!

Virus Protection Means Never Having to Say You're Sorry

HTML Formatting in GroupWise 5.5

GroupWise Document Management: Checking Documents In and Out

RSS Matters

The Network Connection

List of the Month

WWW@UNT.EDU

Short Courses

IRC News

Staff Activities

Subscribe to Benchmarks Online
    

Campus Computing News

By Dr. Maurice Leatherbury, Senior Director of Academic Computing

How do ILOVETHEE(you) -- The virus hits UNT

On Thursday, May 4th the ILOVEYOU virus hit UNT with a vengeance, at least it seemed vengeful for those of us directly affected. If you use GroupWise on campus, and even if you didn't receive the virus, you were still inconvenienced or worse because GroupWise was shut down for the better part of a day or longer, depending upon which department you are in here at UNT. The lessons that were learned from this fast-moving virus were painful, but the following short chronology of what happened to me and others on that day are useful to everyone:*

Thursday, May 4th
8:30 AM
I receive a mail message from a trusted source (the Texas GigaPOP mailing list in Houston), open the message, then click on its attachment. Something starts up that asks me to install Microsoft Outlook, which I don't have on my machine. I declined the invitation.
8:35 AM My colleague, Coy Hoggard, comes into my office and tells me not to open the message "ILOVEYOU" or its attachment because it apparently does something strange. He had shut his computer down when it seemed to start sending messages without his control.
8:45 AM Coy and I call our computer support office, which responds immediately and starts investigating what happened. They find that my machine had been infected with the "ILOVEYOU" virus, and start searching on the McAfee virus protection site to find out what that virus does. They learn that it replaces all .jpg, .vbc, and many other file types with some file, and more perniciously, sends the infected message to everyone in your Outlook mail book (note that at least I didn't propagate the virus since I didn't have Outlook installed.) But no virus definition ("fix") file is available yet to protect against ILOVEYOU.
9:15 AM The Computing Center's virus protection manager, Curry Searle, finds a virus definition file on the McAfee site and downloads it. He starts testing it on his systems but can't verify that it works properly.
10:20 AM I return from a budget hearing and check to see the status of our efforts to eradicate the virus. I'm told that we still can't get the McAfee fix to work on our systems and that the virus affects even network attached drives. Knowing that some departments still run Web servers whose image files are exposed to the virus, we decide to shut the GroupWise servers down to prevent other users from making the same mistake some of us had already made.
12:15 PM We still haven't made much progress on getting the McAfee fix to work but aren't sure if some of the network managers around campus have. We find at least several hundred messages in the GroupWise system with the subject line of the virus message, so grow more concerned about its spread. We call all network managers to an emergency meeting at 1:30 to discuss the problem and its solutions.
1:30 PM About 40 network managers and Computing Center support personnel meet, representing all LAN servers on campus. Support personnel from distributed areas report that the instances of actual infections has been low (on the order of ten to fifteen users so far), but that many users had received the ILOVEYOU message. Some network managers reported that they had been able to detect and prevent the virus with the latest McAfee data file, but the fix seemed to be dependent upon the version of the McAfee software as well as having the latest virus definition file installed. There was a lot of disagreement about the seriousness of the threat posed by the virus but the consensus of the group assembled was that we should wait until the campus could find a definitive fix for the virus before turning GroupWise back on.
4:45 PM The Computing Center's support group for virus protection and LAN services finds a definitive fix to the various versions of the McAfee software on campus that will catch the ILOVEYOU virus before a user opens the attachment. We make the decision to require each network manager to install the fix(es) on their systems before restarting their GroupWise post offices and to let the Computing Center know that they've made the requisite fixes. We call the managers notifying them of this and put it on the Web page with UNT virus information [http://www.unt.edu/virus/].
Friday, May 5th
8:15 AM
The first post office is turned back on after we are notified that all the machines on the post office have been protected with the latest fixes to McAfee VirusScan.

6:00 PM

By the end of the day on Friday, all but two GroupWise post offices have been restarted.

Monday, May 8th
9:30 AM

The last post office is restarted.

What are the lessons that we learned?

There are two aspects of this answer. First, from my own personal experience I learned not to make the following assumptions about e-mail messages:

  • Even trusted sources can be the victims of viruses so if you have any reason to question the contents of messages from those sources, beware!
  • Virus protection software isn't foolproof, particularly with a fast-spreading infection, so you can't assume that you're protected just because you're using one of the protection packages (the virus "definition" file for ILOVEYOU wasn't available when I was hit.)
  • It's absolutely critical that you back up any files that are important to you. I was fortunate in that none of the files that the virus destroyed on my machine or on the network directories was a big loss, but some of our other users did permanently lose files that they needed.

From the campus perspective, we learned:

  • We're going to have to be more comprehensive in scanning for file types that may be affected by viruses. Almost no systems on campus were set up to check for Visual Basic scripts, which carried the ILOVEYOU virus. Because of the performance drain imposed by virus scanning packages such as McAfee, most of us only check for the (heretofore) common sources of viruses, the ".com" and Word macro viruses.
  • We should attempt to catch viruses before they reach campus, at a single point, so that 6,000 machines don't have to be updated in order to detect and/or prevent viruses. The Computing Center is aggressively investigating solutions that will allow us to do that.
  • "Social engineering" (the term coined to explain why many people naively accept messages carrying viruses) can lure even knowledgeable users into launching a virus.
  • The campus computing support infrastructure can work quickly and effectively when called upon to do so: we were able to gather over 40 computing support personnel from throughout the campus in less than an hour and to make a decision about the proper course of action.

The ILOVEYOU virus was a costly drain on UNT's time (we measured at least 450 hours of computing support personnel hours alone, costing more than $6,000 in direct costs), but fortunately it did no permanent nor large-scale damage. The lasting message that the virus conveys to us at the University is one from the old Hill Street TV series: "Let's be careful out there!"


Other articles in this issue also address the topic of viruses and computer security: