"How much LOVE was out there? Lots."
That's how Jim Howell, who administers Cornell's e-mail servers for Cornell Information Technologies (CIT), responds to questions about the impact of the "I Love You" virus on campus. But thanks to quick action by Howell, most people who get their e-mail through Cornell's central e-mail servers never received the virus. (Some departments, however, run independent e-mail systems.)
Howell quickly set up filters to block messages with the known subject lines, and he said at least 7,000 copies had been removed from the central e-mail ("postoffice") servers as of May 5. Highly sensitive filters are automatically deleting new copies.
"We do not know who downloaded it, so we can't say how many client machines were infected," Howell said in an e-mail message to network administrators. "This was much worse than Melissa in volume alone."
As of Monday, copycats had generated at least 13 different versions of the new virus, and Howell was working hard to keep up.
The virus -- technically a "worm," because it copies and retransmits itself -- consists of an e-mail message with an attached application written in VBScript, a scripting language used on Microsoft Windows computers. The attachment is a file with a ".vbs" suffix. The message contains some excuse to encourage the recipient to open the attachment. The original claimed to be a love letter. Later versions masqueraded as jokes, a bill for a Mother's Day gift, a ticket confirmation from Arab Airlines, a complaint about hate mail and even virus warnings. Users should be suspicious of any message with an attachment and use everyday virus protection practice, said Kevin Unrue, the university's electronic security coordinator.
Once the attachment is opened, the worm infects several types of files on the computer, including image and multimedia files, and uses Microsoft Outlook, software often bundled with Internet Explorer, to e-mail itself to everyone in the recipient's Outlook address book. The result is that the message arrives appearing to have come from a known and trusted source. Because much of the campus uses the Eudora e-mail program, the virus has not spread as widely here as at some other institutions.
The virus affects only computers running the Windows operating system, although Macintosh computers running a Windows emulation program are vulnerable. Mac experts say it would be very easy to write a similar Mac virus.
If your computer has already been infected, see http://www.cit.cornell.edu/helpdesk/virus/ILOVEYOU.html for details on how to remove the virus.
CIT recommends that all computer users install Norton AntiVirus, keep its virus definitions up-to-date and have it scan every attachment or file you receive -- even from friends, employers and other trusted sources.
Current Cornell faculty, staff and students can use Norton AntiVirus for free. To download it, visit www.cit.cornell.edu/software/downloads/antivirus/ .
Finally, if you use e-mail software that automatically opens attachments, like Microsoft Outlook or Lotus Notes, disable that feature.
Unrue said some versions of the virus include a password "sniffer" designed to collect passwords from the user's e-mail program. The sniffer was poorly written and didn't work well. "But that's this time," he said.
"The fact that people are actively trying to get passwords is an indication that we should be paying attention to our password security," Unrue said.
Unrue also urged anyone operating a private mail server on campus to work with CIT on security.
| Cornell Chronicle Front Page | | Table of Contents | | Cornell News Service Home Page |