CTR Home Internal  Relations and Communications Home About CTR Publication Schedule CTR Archives

October 26, 2000 Virus hit computers around campus



by Geoff Selig and Sheila Ettinger, IITS

Concordia University was recently attacked by a major computer virus. Unlike last summer, when users were warned ahead of time that the Love Bug virus was poised to attack computers around the world, the recent virus arrived unannounced.

What has been named the “Playboy” virus (because of its initial manifestation at Concordia University as an attachment to an e-mail message having the name “New_playboy_screen_saver”) is really called W95.MTX. The virus actually makes use of three different techniques to infect a computer and then to propagate itself onto other computers over the Internet.

W95.MTX arrives as an e-mail attachment to a message coming from someone you know, but having no subject line and no other text. The attachment may have any of some 30 different names, including “Win_ $100_now.doc,” “Sorry_about_yesterday.doc,” and “Zipped_files.”

This playboy is no fun

The unsuspecting recipient double-clicks on the attachment, sees no apparent effect, deletes the e-mail and attachment and moves on to other things.

Behind the scenes, however, the double-clicked attachment has had an immense effect. As a virus, it has infected a variety of files in the computer. As a “backdoor,” it has installed a program that gives it access to the Internet through which it can download additional infecting files. And as a “worm,” it has replaced the “wsock.dl” file, a file essential for Internet access, with an impostor.

This impostor has two effects. First, it recognizes each time that an e-mail message is sent from the infected computer and sends a second e-mail, addressed to the same recipient, containing the infecting attachment. Second, as a side effect, it interferes with Internet access to most Internet sites offering information regarding virus detection and repair.

Although the MTX virus does no irreparable damage to the computers, it infects the loss of productivity caused by the infection and its repair is significant. We estimate that Concordia staff lost many hundreds of hours of productivity due to the virus infection.

This virus attack spread quickly and affected many areas of the university. The question is, why and how?

• It spread due to a lack of anti-virus software on either the infected or recipient computers;

• It spread due to anti-virus software that had not been properly configured or had out-of-date virus definitions;

• It spread due to anti-virus software that had been turned off!

How can further attacks of this type of be prevented? We strongly recommend that every computer user:

• Buy an anti-virus software package.

• Update/renew anti-virus definitions regularly (at least once a month) and religiously.

• Make sure that your software is configured to check all files including e-mail attachments and file downloads.

• Always leave your anti-virus protection in place, even if it takes a little longer to boot your computer.

In summary, virus attacks are relatively common and can be extremely disruptive. Even as we write this article, another virus (the Love Bug) has been reported at Concordia University.

IITS’s Geoff Selig (Desktop Support) and Sheila Ettinger (moderator of the safe-computing mailing list) identified the attachment as a virus within an hour of its distribution. Within hours, it had been identified and the tools for dealing with infected computers were developed.

More information about viruses may be found at the IITS Helpline site at http://iits.concordia.ca/help. The Helpline may be reached at 848-7613 should you wish additional information or need assistance.