NACHI worm cripples campus

Posted Thursday, October 9, 2003 - 12:00am

The campus computer network connection to the Internet screamed to a halt before Monday morning classes Sept. 29 when the NACHI worm infected the network, over loading its firewall. Besides all computer classes being cancelled, the worm caused the majority of the lab computers to continually reboot, thus all campus computers were asked to be turned off.

"I knew something was wrong before I left for work because I usually log onto CEU's network every morning before I leave home," said Eric Mantz, chief information officer. "By 8 a.m. I asked that the campus shutdown all microcomputers. By shutting down all the microcomputers, we could start powering up systems in a controlled manner and see when the problem would start again. This is a standard troubleshooting technique to find the source of the problem. Once we figured out it was the NACHI worm and how to block the excessive network traffic, we set up a firewall with a policy," Mantz explained. It took him and his staff about one and half hours to find the problem and add the policy to the firewall.

Finding out it was the NACHI worm was a result of a report Mantz received about the NACHI worm from one of the virus scanner programs on an administrator's computer. He and member of his staff researched the worm on the web and found that by pushing the campus server clocks past the NACHI worm's demise on Jan. 1, 2004 that he could stop the continual rebooting of the lab computers.  He and his staff then had to clean the computer labs, which had the highest concentration of the worm. It took until 3 p.m. that day to get the lab computers functioning. Some faculty and staff computers still are experiencing problems from the worm and his staff is working at getting those fixed.

Various anti-virus companies report that the worm only affects Windows-based machines. According to one web site, this particular worm spreads by exploiting a hole in Microsoft Windows. It instructs a remote target system to download and execute the worm from the infected host.

"The worm generated large volumes of network traffic. Some systems also ended up in a crash loop where the systems were restarted over and over which happened in CEU's computer labs," Mantz said.

The only defense against the worm, the website suggests, is patching Windows 2000 or XP systems with a program that Microsoft provides. " Our firewall stopped the worm for several weeks; however, firewalls are generally only effective against direct attacks," he added.

No Macintosh labs were infected and continued to operate throughout the day.

"The NACHI worm infected the Carbon or Emery County School District computers last week and has been reported on other college and university campuses recently," he said.

After the most recent attack of a worm getting through CEU's network firewalls, he hopes to draft a procedure that faculty, staff and students follow when something like the NACHI worm infects the campus network system. He also has a list of office software IT supports and a black list of software his department will not support. He also has antivirus software plus updates available on discs for both PCs and Macintosh computers for faculty, staff and students to check out.

"Security is becoming an increasingly big issue with maintaining networks," he said. "The Internet is not a friendly place and people are always developing creative worms and viruses to infect computers.  

"Since September 29, when CEU was infected by the NACHI worm, eight new worms or viruses have been created to infect computers," Mantz said.

If someone suspects that his or her campus computer has been infected with a worm or virus, please contact CEU's help desk.

Filed under: news