By John Byczkowski
The Cincinnati Enquirer

Computer security experts are imploring users to be more careful with their e-mail, as a new round of e-mail viruses spread quickly and clogged computer networks this week.

TO GET HELP

Read CERT's advisory on guarding against e-mail-borne viruses at CERT.org. If you think you're computer is infected with the Novarg/MyDoom virus, download a free removal tool at Symantec.com.

The sneaky mass-mailing MyDoom virus can disguise itself as a harmless-looking text file and tries to fly under the radar by not sending itself to addresses that are in the military, government and anti-virus software companies.

It hit Monday afternoon and by Tuesday was responsible for about 15 percent of all e-mail traffic worldwide. So far, MyDoom isn't thought to cause any damage to computers, but the traffic it generated clogged networks and slowed the Internet.

UC infected

That was evident at the University of Cincinnati, where e-mail volume shot up and many were infected. So far in January, UC students have received 570,000 e-mails daily, of which 4,720 are infected, less than 1 percent. But by 2:30 p.m. Tuesday, students had already received 650,875 e-mails, of which 56,882 - or close to 9 percent - were infected with MyDoom.

More than 5,000 e-mails with infections were stopped Monday and Tuesday by the computer system used by the 6,000 employees of Hamilton County government, administrator David Krings said.

This week's outbreak follows a similar attack last week of a virus called W32/Beagle or W32/Bagle. The CERT Coordination Center in Pittsburgh - a clearinghouse for Internet security - issued an unusual general advisory Tuesday, warning computer users to be more vigilant against e-mail viruses.

"The vulnerability (MyDoom) is exploiting is really a social engineering vulnerability. It's people opening up attachments," said Brian Dunphy, director of global analysis operations at Symantec Corp., an anti-virus software company in Santa Monica, Calif.

Neither Beagle nor MyDoom would have caused problems if users hadn't opened the infected e-mails, then opened the attachments.

"Our concern with these two is that they require user intervention, and they continue to spread," Brian King, an Internet security analyst at CERT, said.

Slowed by weather

In Cincinnati, the impact of the virus was muted by - of all things - the weather. Ice and snow closed UC Monday, so there were fewer people on campus to open e-mail and spread the virus. Fred Siff, UC's chief information officer, said the virus-blocking software was installed by early evening Monday and by Tuesday was blocking 2,800 infected e-mail attachments every hour in students' e-mail.

The MyDoom virus - known as W32/Novarg.A, W32/Shimg, or W32/Mydoom - arrives via e-mail, with an attachment. The subject line might say "Hi" or "Hello," and the attachment will have file extensions such as .bat, .cmd, .exe, .pif, .scr, or .zip. The file's icon can look like that of a text file, and the file name contains 60 spaces.

The virus affects computers running Windows 95, 98, Me, 2000, NT and XP. Macintosh computers are not at risk.

If executed, the attachment will do several things:

• It harvests e-mail addresses found on the computer and remails itself. Unless removed, the virus will execute itself each time the computer is restarted.

• It opens a "backdoor" hole to the Internet, making future invasions of the computer possible.

Scott Snodgrass of Geeks Inc. in Mason, a PC servicing company, said users need to buy and install software to guard against virus attacks and keep the software up to date. This includes not only a firewall and anti-virus software, but also anti-spam software to keep out infected e-mails, and "pop-up stopper" software, to block Internet pop-up advertisements that often attempt to install rogue software.

E-mail johnb@enquirer.com