Mydoom virus has little effect on University



The Mydoom e-mail worm that infected computers around the world Tuesday had a fairly minimal effect on Yale, University Information Security Officer H. Morrow Long said Wednesday.

Long said the University’s Information Technology Services deleted 117,000 messages carrying the virus and renamed 57,000 e-mail attachments that were the same file types as attachments carrying the worm, which is also known as “Novarg.” While Long said he did not have exact numbers, he said he did not believe that many computers at the University were infected by the worm.

“The primary effect was that some of the mail servers were overloaded,” Long said.

Brian Czarny, who serves as marketing director for the business e-mail security company MessageLabs Inc., said the worm arrives at e-mail addresses disguised to look like it has an attached text file. When recipients click on the file to open it, Czarny said, they activate a program which then harvests infected computers’ address books and mails itself to the addresses it finds, with those e-mails assuming the identity of one of the discovered addresses. The worm also acts as a Trojan horse, potentially letting outside users take control of infected computers, Czarny said.

In addition, the virus inserts itself into users’ Kazaa shared files, if they exist, disguising itself as other pieces of software, Czarny said.

Long said when someone sends an e-mail, it normally arrives at its destination within seconds, but yesterday it took some e-mails minutes to arrive. He said some users who have large e-mail inboxes also faced slowdowns when their mail clients attempted to retrieve their messages.

Mail servers around the world were flooded by the worm this week. Czarny said the first e-mail his company intercepted originated in Russia on Monday. Since then, Czarny said, his company has received infected e-mails from more than 260 countries.

Czarny said out of the 40 million e-mails a day that the company monitors, 3.4 million worm-infected messages were intercepted. At the infection’s peak, the company was stopping one out of every 12 e-mails, Czarny said.

“That definitely qualifies as the quickest so far that we’ve seen,” Czarny said.

Because of the large number of incoming e-mails, ITS activated a program that looks for the “signature of the virus,” Long said.

“It looks for the file names that are known to contain Mydoom,” Long said. “And then it just deletes them.”

Long said he believed this was the first time that program was activated. Another program, which runs constantly, looks for .exe files and other e-mails with the types of attachments the University considers dangerous. The program renames the files and attaches a message to the recipient, Long said.

Long said users can protect themselves against worms like Mydoom by keeping their virus protection software up to date and not clicking on attachments. According to its makers’ Web site, the latest virus definitions for Norton Anti-Virus — which is available for free from ITS — protect against the worm.

Comments