One of the most serious PC viruses to appear anywhere in the world has been detected and eliminated at the University of Auckland.
The never-before-seen strain of the HDEuthanasia virus first made its presence known early on Tuesday, July 2. Six Intel-based PCs in the university's information technology systems services (ITSS) department ceased to function soon after logging on to the local server.
In all, one server and about 40 PCs were directly affected by the virus, though ITSS department registrar Phil Venville says a larger number of PCs will be out of action while the damage is repaired.
"There are probably 70 or 80 machines regularly hooked up to the affected server and there are others which may hook up to it from time to time. There are also a lot of people who use the server as a stepping stone to other servers," Venville says.
As soon as administration staff suspected the presence of a virus, they immediately shut down the computers and isolated the server from the rest of the university's distributed network.
The next step for the ITSS department was to summon a virus expert under the terms of a contract between the university and Symantec, which had been finalised only a week earlier.
When Symantec's Ross Brewer arrived at the university, he initially was unaware of the severity of the virus. It was only after he isolated files containing the program on the server and sent the virus to the Symantec's virus identification centre in Santa Monica that the alarm bells started to ring.
"When I arrived I installed Norton AntiVirus to a clean Windows 95 workstation and logged on to the server. At that point Autoprotect jumped up and indicated something was trying to write to the master boot record. I stopped that from happening and in fact, what that did was identify the file which was causing the activity.
"I sent the virus to our research centre in Santa Monica via email. There has been quite a lot of activity in New Zealand in the last few months, and I have submitted quite a few viruses, but none of them to date has received the response this one got," Brewer says.
"I received a phone call straightaway saying our organisation knew what its origins were. They said it was a strain of the Euthanasia-type virus and was very serious. In fact, this strain had never been seen anywhere else in the world. This was like a new virus, so they took it from there and started work on it.
"The fact that it is multipartite, stealth, polymorphic and encrypted with destructive payloads--some of them date-triggered--makes it the most serious virus I've ever seen in New Zealand," Brewer says. "Symantec's research centre has found other strains, though they all seem to be date-triggered."
Symantec worked non-stop on the virus, and by Thursday afternoon Brewer had received a detection and repair specifically written for the virus, which has been catalogued as Hare.7610.B.
"We had isolated the one server, and with the detection we set about scanning other servers. Fortunately, as a result of the quick action of the ITSS administrators, we found the virus was only on one server and was contained to one or two files on that server," Brewer says.
Phil Venville praised the quick thinking of the ITSS staff, and says now the problem has been identified the university would perform a "post mortem".
"Once we have got this thing bedded down we will do two things--one is a recap of the whole exercise so we can try to estimate the damage. We got to it early enough for the costs to be limited to the time and materials involved in rebuilding the PCs affected," Venville says. "Secondly, though we don't anticipate getting anything from it, we have to have a look and see how the virus arrived on campus."
Venville suspects the Internet is to blame for the introduction of the virus, but realises viruses are one of the many risks associated with being part of the World Wide Web. "We're thinking maybe it came in on the Internet--someone downloaded it or something; you just don't know.
"We have a pretty good set of virus detection procedures and a high level of awareness within the university. The difficulty with our site is the fact that we've got 5000 machines connected to our campus and there are about 150-plus servers of different sizes with a lot of the access points. We have a fairly good record, but the only way to prevent this situation from occurring is to disconnect everybody's PC from the Internet and ban floppy disks," Venville says.
While Brewer praised the level of virus awareness within the university, he indicated if Hare.7610.B had appeared in another area of corporate New Zealand, the consequences could have been more serious. "The university has been seeing viruses a lot longer than the rest of New Zealand and these guys know what they are doing. The only reason this didn't turn into catastrophe was because of the level of competence and the policies the university has in place," Brewer says.
"The main difference between the university and the rest of corporate New Zealand is most organisations don't have the policies and detection software in place. If this situation happened within corporate New Zealand, instead of 20 or 30 machines being infected, you would see an organisation with 400 PCs fall over as soon as it started up in the morning."