Preventing E-mail viruses

By Вen Li

Thousands of students returning to school would stress any campus infrastructure, including computer networks. This year however, students return at a time when operators of the campus network, and the Internet in general, are busy coping with several e-mail viruses and other electronic contagions.

In August, when the campus was mostly unpopulated, the University of Calgary e-mail system handled 1,069,254 pieces of infected e-mail, most stemming from the Sobig virus. The U  of  C campus and many others across North America have dealt with the viral spread in various ways.

In late August, the U  of  C blocked Internet access to port 445, a common point of entry for recent viruses targeting improperly-maintained Windows PCs (since that port is normally open for use with file sharing and other applications). On Mon., Sept. 8, several networks on the U of C campus were disconnected for half a day to investigate and halt activity caused by a new variant of the Gaobot worm (W32/Gaobot.worm.ab) which appears to have originated at the U of C over the weekend.

"The university networks were down this morning for some time because of tremendous amounts of traffic using spoofed source IP addresses from likely-compromised machines on many different local networks," wrote the U  of  C’s Network Services’ David Jager.

Viral network traffic was eventually blocked, but not before the damage was done. Students and faculty needlessly lost Internet access and many hours of effort were needed to contain the virus, which resurfaced briefly on the morning of Tue., Sept. 9. U of C network operators have also blocked a number of commonly-vulnerable ports to minimize further infections.

Unfortunately, the U of C is not alone in dealing with viral e-mail. The University of Connecticut at one point shut down Internet access to their residence buildings due to infections in four per cent of the 9,100 computers brought in by students. Despite mandatory checks of student-owned computers before being allowed on its network, the virus spread across unpatched computers and e-mail. University officials had distributed anti-virus software to every dorm room to prevent such an occurrence but had to manually disconnect infected computers and restrict certain kinds of Internet access used by the virus to fix the problem.

North Carolina State University temporarily disabled their e-mail servers due to e-mail borne virus infections in late August on computers in their network. The massive amounts of traffic generated by the virus in its attempts to infect others had also degraded the network.

According to the Washington Post, more than a dozen major universities have had similar problems with infected student computers around the first week of school.

Besides slowing down network and broadband Internet connections, the recent round of e-mail viruses also harmed non-infected users. In addition to potentially becoming infected (perhaps by one of the over 60,000 copies of infected e-mail attempting to breach the U  of  C this Monday), uninfected users’ e-mail address could be harvested from address books and other documents on an infected computer. Viruses such as Sobig use these familiar FROM: addresses when spreading themselves to others to deceive recipients into opening infected attachments.

Fortunately, most e-mail servers are set up to detect and clean or delete infected e-mail, but some generate replies to the supposed senders, complaining about the infected e-mail, further congesting busy networks and confusing innocent users.

To spread, e-mail viruses depend on the large number of unpatched computers and users who launch unexpected (infected) attachments out of curiosity or ignorance.

In the case of Sobig, infected mail can be identified by subject lines such as "Re: Details," "Re: approved," "Re: Re: My details," etc. with body text encouraging the recipient to launch the attachment, which will commence infection on the local machine. Sobig will attempt to download specific malicious programs from the Internet for further nefarious purposes, while other e-mail viruses take advantage of software bugs on other computers on the infected user’s network to infect those computers too.

Fortunately, the most recent variant of Sobig is set to deactivate itself on Wed., Sept. 10, and patches to prevent its spread have existed since August. However, computer users should not rely on the good graces of virus writers to keep them safe.

Most users know to install anti-virus software, and will know to use it to disinfect files after infection. But having antivirus software installed is just the first step in preventing and fixing infections.

To keep up with the arms race between virus authors and anti-virus software publishers, antivirus software must be maintained with updated virus definitions used to detect new viruses. In addition, other software, like the Windows operating system, must also be kept up-to-date to prevent viruses from propagating via software bugs. Applying the patch issued by Microsoft in January 2003 for a port 445 bug in Windows would have mitigated the spread of several e-mail viruses this year by keeping patched computers from being infected or spreading the virus.

A more extreme solution is to use software less prone to be the target of infection, such as Mozilla, for e-mail and web browsing, instead of the default Microsoft software which has often been vulnerable.

In any case, maintaining an up-to-date virus-free computing environment helps not only yourself, but everyone else on the network too.

To download free antivirus software and updates, visit