April 1, 2004

BAGLE Worm Hits Campus

Print More

Since Tuesday, the BAGLE.Z worm has been spreading across campus computers, infecting about 10 percent of Resnet-connected machines. The worm, a variant of one that has seen hundreds of permutations over the past several months, exploits a flaw in Microsoft Windows operating systems that can be fixed with patches that the company has provided, according to Steve Schuster, director of I.T. security at Cornell.

“Right now, [CIT] has blocks put into place … that will help minimize the effect of the worm,” he said. “But the problem is that the security vendors — Symantec, TrendMicro — they’re just now starting to even identify this. It’s a variant of the Gaobot, and right now there are 900 variants of that particular one.”

Schuster said that about 800 systems have been identified as having been infected, with more infected systems possibly laying dormant.

“If they’re given variants that are in stealth mode, then they won’t be sitting on the network making a lot of noise,” he said. “So we’ll probably be finding additional systems.”

Schuster said he believed, however, that most of the infections were already found and being remedied. After an infection is found, CIT disables various ports that the worm uses to propagate itself, and closes off the computer’s internet connection.

After that, the user is notified that they have the worm and told to call CIT for information on how to clean their computer. “Once their [computer is] clean, the help desk will remove that block,” said Schuster.

The worm caused three library computer labs — Stimson, Upson and Uris — to be taken off the University network Wednesday. “[It] was really just overnight … to protect the students,” Schuster said.

Tekla Israelson ’07, who got the virus Tuesday morning, says that she still doesn’t have internet access. She first noticed something was wrong when she couldn’t load web pages outside of Cornell’s.

“But I could still check Eudora, so I got an e-mail from CIT saying that I have this virus,” she said.

Her access would later, apparently on accident, be restored and removed again.

“And then they sent out [another] e-mail saying you need to do this stuff, and if you have questions call us,” she said. “So I did everything they told me to, and I find the little virus they were talking about and I deleted it.”

“The guy on the phone was very nice and he walked me through everything,” she said, adding that he told her access would be restored within 24 hours, probably less.

Israelson had not been able to access websites or services outside of Cornell’s as of this writing.

“The most inconvenient thing is not being able to check the weather,” she said. “And not being able to use AOL Instant Messenger, because I’m working on a group project right now and even if I have little questions about it, I have to e-mail [group members] or call them, and so that’s annoying.”

Vincent Zou ’07 said that his computer had some other side effects from the virus, including running extremely slowly and restarting itself every time he tried to play a song. He, too, has fixed the worm but has not gotten internet access back.

Schuster explained that the BAGLE worm posed a special threat to internet users.

“There are currently developing kits out there, with nice user interfaces, where you can create your own variants of it,” he said. “The [anti-virus] vendors can’t keep up with it.”

Schuster said that he didn’t believe this variant was created or spread by someone on campus.

“I don’t think these are being made at Cornell at all,” he said. He also explained that, unlike a virus, a worm such as BAGLE.Z doesn’t need human input (such as clicking an icon or opening an e-mail). Instead, they spread themselves and, as a result, spread very quickly.

Schuster had advice for users to avoid becoming infected. He advised that “everyone better make darn sure that all their accounts have passwords on them.”

He also recommended users password protect any folders they share on the network, as a malicious user or even an automated program can put copies of the worm in their folder, having it automatically execute.

Additionally, keeping an operating system patched and anti-virus definitions up-to-date, Schuster said, is an easy, important step to creating a safe system.

Schuster said that, if anything, Cornell computers were more protected then those at other universities.

“Essentially we have three layers of defense to help us to combat viruses,” he said, pointing out the anti-virus software Cornell provides to its students, the PureMessage system that automatically filters most viruses, and the ability of CIT to block certain types of files and e-mails before security vendors have a chance to create new definitions.

“Last week, with the new netsky virus coming out, I made the decision to block all mail attachments that end with dot com command file,” he said. “That helped because it was about a five-hour gap between the time that we first noticed it on campus and that Symantic and PureMessage were updated with new definitions.”

Users infected with the virus are recommended to either call the CIT HelpLine at 255-8990 or visit www.cit.cornell.edu/helpdesk/virus/.

Archived article by Michael Morisy
Sun Senior Writer