Geoff Selig and Sheila Ettinger, IITS
Concordia University was recently attacked by a major computer virus.
Unlike last summer, when users were warned ahead of time that the Love
Bug virus was poised to attack computers around the world, the recent
virus arrived unannounced.
What has been named the Playboy virus (because of its initial
manifestation at Concordia University as an attachment to an e-mail message
having the name New_playboy_screen_saver) is really called
W95.MTX. The virus actually makes use of three different techniques to
infect a computer and then to propagate itself onto other computers over
W95.MTX arrives as an e-mail attachment to a message coming from someone
you know, but having no subject line and no other text. The attachment
may have any of some 30 different names, including Win_ $100_now.doc,
Sorry_about_yesterday.doc, and Zipped_files.
playboy is no fun
The unsuspecting recipient double-clicks on the attachment, sees no apparent
effect, deletes the e-mail and attachment and moves on to other things.
Behind the scenes, however, the double-clicked attachment has had an immense
effect. As a virus, it has infected a variety of files in the computer.
As a backdoor, it has installed a program that gives it access
to the Internet through which it can download additional infecting files.
And as a worm, it has replaced the wsock.dl file,
a file essential for Internet access, with an impostor.
This impostor has two effects. First, it recognizes each time that an
e-mail message is sent from the infected computer and sends a second e-mail,
addressed to the same recipient, containing the infecting attachment.
Second, as a side effect, it interferes with Internet access to most Internet
sites offering information regarding virus detection and repair.
Although the MTX virus does no irreparable damage to the computers, it
infects the loss of productivity caused by the infection and its repair
is significant. We estimate that Concordia staff lost many hundreds of
hours of productivity due to the virus infection.
This virus attack spread quickly and affected many areas of the university.
The question is, why and how?
It spread due to a lack of anti-virus software on either the infected
or recipient computers;
It spread due to anti-virus software that had not been properly
configured or had out-of-date virus definitions;
It spread due to anti-virus software that had been turned off!
How can further attacks of this type of be prevented? We strongly recommend
that every computer user:
Buy an anti-virus software package.
Update/renew anti-virus definitions regularly (at least once a
month) and religiously.
Make sure that your software is configured to check all files including
e-mail attachments and file downloads.
Always leave your anti-virus protection in place, even if it takes
a little longer to boot your computer.
In summary, virus attacks are relatively common and can be extremely disruptive.
Even as we write this article, another virus (the Love Bug) has been reported
at Concordia University.
IITSs Geoff Selig (Desktop Support) and Sheila Ettinger (moderator
of the safe-computing mailing list) identified the attachment as a virus
within an hour of its distribution. Within hours, it had been identified
and the tools for dealing with infected computers were developed.
More information about viruses may be found at the IITS Helpline site
The Helpline may be reached at 848-7613 should you wish additional information
or need assistance.