November 6, 2000

CIT Takes Measures Against E-mail Bug

Print More

A rash of infections by the MTX virus/worm hybrid, which affects computers running Windows 95/98 software, prompted Cornell Information Technologies (CIT) to take action.

CIT is providing a downloadable version of the NortonAntivirus program on their website as a remedy. CIT is also blocking access to the Internet site responsible for the most destructive components of the malicious worm that propagates using e-mail attachments.

Since the problem was discovered on Aug. 17, 25 users have come to the CIT help desk in order to diagnose and remove the virus from their computers. Other universities that were infected by this virus, such as Harvard and Yale, have gone through the same safety measures, providing free diagnostic and immunization software for network users, according to Thomas Braun, systems and network infrastructure security for CIT.

Computers on the Cornell network running the NortonAntivirus program as of Sept. 5 or later are protected, according to CIT.

Infected users are usually unaware that they are sending duplicate messages containing the virus.

“As soon as I sent e-mails to my sister, my roommate and my boyfriend three blank e-mails titled ‘Iwantyou’ were immediately sent [to each of the recipients],” said Stephanie Spector ’03, a student whose computer lost its connection to Kerberos Wednesday after receiving the virus through an unidentified e-mail.

Spector’s roommate was denied access to the e-mail since she was working from a computer protected by the NortonAntivirus program. Both Spector and her boyfriend used the antivirus program to cleanse their computers.

“My sister’s computer was completely ruined. It was an older computer, but it attacked everything on Windows,” Spector said.

“This is a particularly nasty virus. Upon arrival, the virus searches for antivirus programs running. If one is identified then the virus does not execute its function. However, if the host computer doesn’t [recognize an antivirus program] the virus duplicates in three to four files, then corrupts other associated programs and breaks connections with the network,” Braun said.

NortonAntivrus operates as a diagnostic tool that scans mail attachments to identify any viruses. Once identified, NortonAntivirus quarantines the infected files, preventing them from being opened and spread to other mailboxes.

Sidecar, Bear Access and other network identification programs are the most susceptible to infection, though the virus does not discriminate according to the content of a file, Braun explained.

The virus spreads by waiting until after the user has sent a message, then sending a subsequent infected message to the same recipient, often under false yet provocative subject headings such as Metallica.mp3 or Seemenude.mp3, according to CIT. By not opening the second false message, one can prevent infection and the spreading of the virus.

“This wouldn’t be an issue at all if people would use safe programs and ran NortonAntivirus. Don’t open attachments if you don’t know what they are about,” said Braun.

Due to the severity of this particular Virus, CIT began accepting appointments for infected desktop computers in addition to laptops. Once infected, purging the computer of the virus and rehabilitating the corrupted programs is very difficult, according to Braun.

Users who have been infected by the virus can either use an automated floppy disk program to guide them through the virus fix or can make an appointment with CIT, depending on the severity of the infection.

Braun also recommends that people who transfer information via floppy disk from labs to their home computer scan the floppy to make sure that it does not contain traces of viruses.

Archived article by Dan Webb