Duke Battles Computer Virus; Campus Web Site Bit by Worm
Duke avoided widespread trouble Aug. 1 from the threat of the Code Red computer "worm," but only after the worm shut down the online Duke map briefly two weeks earlier. Duke officials warn, however, of continuing threats that can damage computers and computer networks.
Basically, worms are malicious computer programs that can transmit themselves across networks to infect computers and propagate themselves. In contrast, viruses depend on the transfer of files among computers to spread.
According to Duke computer security experts, the infiltration of the worm, as well as attacks by new computer viruses, emphasize the importance of vigilance in guarding against such infections.
Fortunately, said Chris Cramer, the Office of Information Technology's information technology security officer, the Code Red worm did not infect a great many Duke computers, infiltrating as many as 40 before being cleaned up.
"The Code Red worm infects computers running Microsoft's IIS Web server," said Cramer. "A vulnerability in the Web server allows the worm to deface the Web site and to infect other computers running vulnerable IIS Web servers.
"Microsoft was aware of the vulnerability and produced a fix for it a month before the worm hit," he said. Cramer recommends that anyone running a Microsoft IIS Web server subscribe to Microsoft's Security list and apply patches to their Web server as they become available. Details regarding the mailing list can be found at < http://www.microsoft.com/technet/security/bulletin/notify.asp>, said Cramer.
[Cramer said Thursday that Code Red infected at least 44 machines at Duke, but currently all have been cleaned up. "On Aug. 1 and 2, we had the most number of machine infected, since then we've been seeing 2-4 new infections each day.... Peole didn't note any internal slow downs because we have relatively fast networking here and while worldwide more than 350,000 machines were infected, no more than about 60,000 were infected at any one time.]
One of the newest and most dangerous computer viruses is the "SirCam" virus, which has been rated as a serious threat by computer security experts. The SirCam virus arrives as an innocuous-looking e-mail message with an attachment. Typically, the messages ask for help with the attachment or indicate that the attachment was requested by the recipient.
Once the attachment is opened, the virus can fill up the users' hard drives, delete files, distribute private documents and hide from virus scanners. The SirCam virus is also a worm, in that it can send itself to the addresses in a Microsoft Outlook address book and copy itself to any shared drives it finds.
According to Cramer, SirCam attachments also disguise themselves as .zip files, taking advantage of a feature of Microsoft Outlook in that the program displays only the first extension of a file that might have additional ones. For example, the .zip file might actually be an executable program with an undisplayed further .com or .exe extension.
"These viruses have a tendency to explode in numbers, much like a human virus, until everyone is immunized by updated anti-virus programs," said Cramer. Thus, he advises Duke computer users to take full advantage of the free site-licensed McAfee antivirus program available at <http://www.oit.duke.edu/virus/>. Cramer also cautions Duke computer users to
- keep updated the .dat files that include the definitions of the latest viruses that the program uses in its scanning. The latest versions of McAfee perform such updates automatically.
- be very careful opening any attachments, including those sent unexpectedly from even people known to the recipient.