March 17, 2004

E-mail Virus Infects Campus

Print More

A virus spread across Cornell’s computer network this past week, disabling programs on many computers and multiplying itself within the system. The virus, whose name is w32.Beagle.n@mm, has gone through 14 variations since anti-virus vendors first noticed it in late February. The ‘n’ variant was detected at Cornell on Monday.

The virus is spread through attachments coming from what look like official University e-mail addresses, such as staff@cornell.edu and administration@cornell.edu. The virus creators “make it try to look like it’s official so that you want to click on it,” said Steve Schuster, director of IT security at Cornell.

An e-mail was sent from Cornell Information Technologies on Monday morning, informing members of the Cornell community about the virus.

“Please be aware that there are currently viruses circulating via e-mail attachments using forged return addresses claiming to be from Cornell, ResNet, and other university entities,” the e-mail stated. The e-mail reminded students that “ResNet will not send any e-mails which include attachments.”

Infected e-mails have subject lines like “notify about using the e-mail account” and “e-mail warning,” according to Heather Shannon of Symantec, the anti-virus vendor used by Cornell. The attachments, which are stored in .zip, .rar, or .pif files, infect files with an .exe extension.

The text of the e-mail, warned Symantec, usually contains a variation of a warning telling recipients that their computers are infected with a virus and they should download the attachment to prevent future damage.

Symantec.com, which posted warnings about the virus soon after it was detected, stated that Beagle “attempts to spread through file-sharing networks, such as Kazaa and iMesh, by copying itself into folders that contain the string ‘shar’ in their names.”

When a virus is first released, on what is called ‘zero day,’ no anti-virus software exists to stop it.

“At ‘zero day’ everyone in the world is vulnerable to this kind of attack,” Schuster said. As soon as people are attacked, anti-virus vendors scramble to analyze the virus’ behavior, name it, and identify what kind of protection is needed to stop it. Although anti-virus companies like Symantec are able to create protection within a very short period of time, Schuster said, “there is a small window