"Computer Worm Hits UB, Servers Across the Country"



UB was among the thousands of networks crippled by a new computer worm Tuesday, one that left the entire university with little or no access to the Internet.

The "W32.Nimda.A@mm" worm, described by virus protection software manufacturer McAfee as "high risk," is a self-promulgating virus that spreads from infected Microsoft IIS Internet servers by utilizing 16 known vulnerabilities, similar to the "Code Red" worm that slowed Internet traffic twice during the summer.

The new worm, however, has proven to be much more damaging than Code Red, causing denial of service (DOS) attacks nationwide through an unmanageable excess of server traffic.

Beginning early Tuesday morning, network administrators at UB were faced with a mounting problem, according to Rick Lesniak, director of academic services for CIT.

"Earlier in the day, we had a problem with slowdowns up until about noon," said Lesniak, who as of Tuesday night was meeting with campus and CIT officials to work toward reinstating UB's Internet service. By about 2:30 p.m., CIT had posted information on its alert site stating that the worm was the cause of the slowness and outages, as a result of DOS attacks on its IIS servers, which Lesniak said were in "very widespread use" at UB.

"We use [IIS] just about everywhere, there's just hundreds of them," said Lesniak. "[The worm] basically choked the routers here on campus, and has promulgated itself and created more problems."

As more and more illegitimate traffic flooded into UB's Internet routers, users in the dormitories, apartments and academic spine were unable to access sites outside UB's own network.

"This is a multi-faceted, very nasty problem," said Lesniak. "Luckily, this happened on a day without classes."

Around 20 infected servers were shut down Tuesday; departmental and university servers not infected were accessible but slowed. The servers dedicated to UB's Wings system, the computer science servers and other Unix-based servers were not affected by the attacks.

Lesniak noted that the university's routers are already extremely busy on weekdays, partly as a result of increased multimedia traffic through both Web sites and newer file-trading services such as Kazaa. "When you add in a virus or worm like this, nothing was actually down, but everything was quickly becoming overfull."

Besides traveling directly via servers, the worm sends out e-mails from infected sites with an attachment named "README.EXE." Infected servers display only a page prompting visitors to download a file containing the worm.

At press time, McAfee.com had posted a fix for infected servers. Lesniak said CIT was awaiting remedies from its technology providers, and was unable to say whether services would be restored today.

CIT officials will meet today at 11 a.m. to assess the virus' spread throughout campus and the difficulty they will face in cleaning it up. They are asking that all servers on the university's network shut down until further notice.

The Associated Press reported Tuesday that the FBI's National Infrastructure Protection Center warned administrators Monday that a hacker group naming themselves the "Dispatchers" had announced they would attack "communications and finance infrastructures" around Tuesday of this week. As of press time, the FBI had said the worm does not seem to be connected in any way to last Tuesday's terrorist attacks.