Computer worm spreads, prevention tips offered

Marshall Computing Services is providing tips to prevent Windows computers from being affected by the onficker worm.

The Marshall Computing Services department is taking no chances with the April 1 worm that has already affected many computer users around the world. The Conficker worm was first introduced in October and has affected an estimated 12 million computers since then, the New York Times reported. The worm allows the creator to install software on any computer that is affected by the worm.

Marshall Computing Services said users can take two steps to make sure campus computers are protected from this worm. First, visit the Microsoft update Web site at http://update.microsoft.com and confirm that all security updates are current. Users that receive updates automatically from Microsoft are protected already.

Users should then open the antivirus program on their computers (most campus computer images should have Symantec Antivirus or Symantec Endpoint Protection pre-installed). UCS said to check the date of the virus definitions and make sure it's no more than a few days old. The AV definitions should automatically update.

If they are not, UCS said that could be a sign of a potential problem for the computer and should be reported immediately to the department IT staff or the UCS Help Desk. These steps can also be used to make sure any home computer is protected from the worm.

Computers that are afflicted with the worm have various symptoms based on the type of infection that occurred. Conficker tries to prevent antivirus software from being updated on the computer and will not allow the user to access the antivirus vender's Web site to download tools that can fix the problem.

"Generally the strategy for combating these types of worms is to identify where the worm code is checking back for its command and control server and then block access to this server," said Jon Cutler, chief information security officer at Marshall computing services. "Network engineers can monitor their network traffic heading for the Internet and identify internal computers trying to reach the controls server and it's a safe bet that these computers will be infected."

Cutler said that a worm, unlike a virus, can spread without human interaction, whereas a virus needs users to click something or open an e-mail. This difference makes it harder to find who started the worm and what it is programmed to do.

"Depending on how the programmer wrote the worm, remember these are software programs written by people. They may have simple instructions that say 'continue to attempt to spread indefinitely,' or 'attempt to infect 256 computers and then quit' or 'stay running on this computer and check back with a certain Web site every day for further instructions,'" Cutler said. "It's this last aspect, checking back with a central control server, that is where the April 1 day comes into play. Security researchers dissecting the code of the Conficker worm found where it was supposed to check back in with a new list of control servers on this date.

"The researchers had no way of knowing what instructions were waiting for the worm, only that it was going to start doing something different on this date," Cutler said.

For any further questions or concerns please contact the Help Desk at 304-696-3200.

Solomon Fizer can be contacted at fizer14@marshall.edu.