NIH Conquers 'Love Bug' Computer Worm
By Cheryl Seaman and Kevin Haney
What a preposterous idea! Imagine a movie plot where some amateur computer programmers in the Philippines create a computer virus to steal Internet access passwords and end up disabling a good portion of the world's electronic mail traffic. Think about what could happen if a malicious little program called "ILOVEYOU" made its way into the email inboxes of over 45 million computer users worldwide. It just doesn't seem possible but it happened and NIH learned some valuable lessons as a consequence.
On that infamous morning of Thursday, May 4, many NIH staff arrived at work, opened their email, and were greeted by numerous ILOVEYOU messages. Although opening the message was harmless, those who double-clicked on the accompanying attachment set in motion an insidious chain of events. The attachment was actually a "worm" (i.e., a malicious, self-contained program that replicates across the network) and had two prime directives. As the worm infected Windows platforms running Micro-soft Outlook email software, it sought out the individual's address book (generally the NIH global list) and began sending itself out to the entire list. In addition, the worm began overwriting certain file types, in particular graphic JPEG files, with a copy of itself. Macintosh and UNIX computer systems were generally unaffected, but the machines could act as message carriers. While updates to detect and eradicate the worm were posted on the Center for Information Technology's antivirus website at antivirus.nih.gov by late morning of May 4, the sheer number of messages produced by the initial infections overloaded email servers and made it necessary to take most of the NIH email servers off-line for a day to be purged.
Because of the widespread confusion and uncertainty surrounding the worm, and to facilitate communication throughout the NIH community, CIT established a conference phone line for IC information system security officers, IT support staff, and mail server administrators. The conference call started at 10 a.m. on Thursday and continued throughout much of the weekend. NIDA's Michel Debois found "Radio Free CIT" an invaluable and timely forum for asking questions and sharing the latest information on the worm. "I very much appreciated having CIT's Chris Ohlandt, Don Preuss, Al Graeff, Dave Hunter and a host of others online to ask and answer questions. It was very effective because of the participation of those involved."
"Collaboration was the key to defeating the 'Love Bug,'" according to NIAID's chief information officer Dr. Laurence Wolfe. NIAID saw its first instance of the worm at 7:08 a.m. NIAID's first response was to contain and control the worm to help keep it from spreading. All users were notified of the attack by personal contact, intranet, and email, and each received hard-copy guidance about protective steps to take at work and at home. Coordinating its response to the attack with CIT and other institutes, NIAID kept network services up and turned email off for less than 3 hours while removing the worm. "CIT's quick reaction to set up an ongoing conference call for the institutes to share solutions really helped us," commented Wolfe. He also said that damage was minimized at NIAID due to the excellent cooperation of the entire NIH user community. As an example, CIT made available to all NIH on its antivirus web site a software script "fix" developed by NIAID's Robert Cox.
Before it was over, the ILOVEYOU worm and its many copycat variations would attack 40 of the 47 NIH email servers, infect some 200 computers, and replicate over 2,000,000 copies of itself to NIH staff. The less than 1 percent infection rate was largely due to the dedicated, round-the-clock collaboration between CIT and other NIH IC staff who worked as a team to eradicate the worm. And that, according to NIH Chief Information Officer Al Graeff, is perhaps the most valuable lesson to be learned from this experience. He noted, "An electronic virus such as this propagates very rapidly, especially at the NIH where normal operations promote quick and efficient transport of email. When there is an NIH-wide problem as all-invasive as this, only NIH-wide cooperation and information sharing can solve it."
Up to Top