Worm crashes WebMail server


By Walt Staton
Arizona Daily Wildcat
Thursday, January 29, 2004

E-mails delayed after infected mail clogs server

Seventy computers on the university network have been infected by a vicious computer program that crashed the university's e-mail server by flooding it with more than 100,000 e-mails.

Monday evening, staff members at the Center for Computing and Information Technology were working to block a barrage of infected e-mails sent by the Mydoom worm.

The worm, a virus-like computer program, has spread around the world over the past few days, crashing servers and flooding people's inboxes.

Because of CCIT's catch, most users of university e-mail accounts were not even aware of the new worm or its rapid spread around the Internet.

Joellen Windsor, a systems programmer at CCIT, said the staff started blocking all incoming e-mails with the worm at 5:40 p.m. Monday. From that time until midnight, 20,900 e-mails were blocked.

The e-mail system blocked another 82,000 e-mails Tuesday, which is when the server went down.

According to Windsor, the server's disks filled up with e-mails as CCIT tried to check for the virus, causing the server to finally crash at 4:30 a.m. Tuesday.

About 70,000 e-mails were already backed up when they discovered the downed server at 8:30 am. It took until 1 p.m. to get all the backlogged messages sent, Windsor said.

On a normal day, less than 1,000 e-mails are blocked. The Bagel worm, the most recent large-scale virus, only blocked about 2,000 e-mails on Jan. 19 and 20.

Windsor has only received a couple hundred inquiries regarding Mydoom. Most have been from students who received an automatic response from abuse@email.arizona.edu stating they had sent an e-mail with a virus. Since Mydoom sends e-mails using bogus addresses, CCIT stopped the automated responses.

Ted Frohling, a network analyst for CCIT, said the center found only 70 computers infected with the Mydoom worm on the university network.

"It's a pretty small problem considering the number of computers we have," Frohling said.

The university's e-mail servers use information from a virus-checking company to catch new viruses, Windsor said.

"Automatically, once an hour, the latest viruses definitions are downloaded," Windsor said.

According to Windsor, it takes about six hours for the company to catch new viruses and have the information available for e-mail systems like the UA's.

Because of the measures CCIT employs to filter out viruses, students rarely receive infected e-mails on their university accounts.

"I think I received (an infected e-mail), but I deleted it because I didn't know who it was from," said Rachel Whiteley, a pre-nursing sophomore. But she added that the e-mail came to her personal address, not her UA account.

Amanda Karnath, a psychology sophomore, said her instructor got the worm. "It sent her PowerPoint presentations to herself," Karnath said, adding her instructor has warned all her students about it.

If your computer does become infected with Mydoom, or other viruses or worms, CCIT offers the program Sophos AntiVirus for free to UA students, faculty and staff. The program can be accessed at their site-license Web site at sitelicense.arizona.edu/sophos.

More information on the Mydoom worm can be found on Sophos' Web site, sophos.com/virusinfo/analyses/w32mydooma.html.