Computer boffins head off another virus

17 February 2004

Ganging up: (From left) Kgabo Sepuru, Andy Lewis, Michael Wood and Arlene Hanmer were among those who had to grapple with the recent MyDoom computer virus infection on campus.

After weeks of wreaking havoc with PCs and network servers around the world, MyDoom (known to the more punctilious as W32.Novarg or MyDoom@MM and dubbed the most virulent e-mail virus to date) appears to be grinding to a halt.

Often camouflaged as an advisory message from a technician with innocuous subjects (aren't they always?) such as "hello" and "hi", sometimes graciously informing users that their machines may be harbouring a virus, MyDoom is estimated to have infected anything from 400 000 to one million machines globally. In doing so, it surpassed the once-thought-lofty marks set by slippery worms such as Love Bug, SirCam and Sobig-F.

Once MyDoom has infected a machine - usually after the user has opened the message's attachment - it would send out scores of e-mails, quickly clogging up networks. Many companies had to shut down their e-mail systems to prevent further infections.

Things, fortunately, didn't get nearly that bad at UCT, thanks mostly to the sharp response from the crisis team at the Information & Communication Technology Services (ICTS), a cyber posse that is pulled together from various sections whenever major viruses make their way to UCT.

While UCT's anti-virus administrators were still hustling to replace F-Secure with the university's new anti-virus McAfee Active Virus Scan software, UCT postmaster Sue Joerning noticed that mail queues were starting to fill up rapidly on the morning of Tuesday, January 27. At one stage, about 9 000 messages, mostly triggered by MyDoom, were waiting to be sent from infected machines, reported Joerning.

Arlene Hanmer, HEAT administrator at ICTS, also received a message from McAfee alerting organisations about the virus and providing updated virus signatures, which identify new viruses. Both this software and that from F-Secure were then distributed via the various servers to head off any further infections.

Anti-virus software, such as McAfee's Stinger (a "stand-alone utility" tailored to detect and remove specific viruses), was also disseminated soon thereafter.

In addition, 200 or so infected machines were taken off the system (no mailing and no surfing) and "disinfected".

Coming as it did at the end of January, although only two weeks ahead of the surge of new students, was probably a better time than most for a virus to hit the campus (as it occasionally will), ICTS personnel agree. "It could have been worse," said Joerning.

Although, adds Steffne Hughes, it wasn't all smooth sailing. The ICTS helpdesk, for one, was overrun with calls, and the crisis team was stretched as it tried to keep up with the spread of the virus.

"There's wasn't even time for a smoke break," Hughes pointed out.

Creative Commons License This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.

Please view the republishing articles page for more information.