Several units across campus continue to recover from the most recent Internet worm attack that interrupted service and destroyed files on 50-75 Windows-based servers in the Division of Business and Finance.

The problem was identified the morning of March 20, when the “Witty Worm” flooded the U-M network with traffic, causing intermittent access problems.

As the affected servers were removed from the network, access gradually was restored. The worm also destroyed data, files, applications and operating systems on servers running the Internet Security Systems BlackICE product. Servers that control e-mail, calendars, databases, files, print and backup functions, and applications were infected.

BlackICE is a firewall program intended to detect and prevent intrusion attempts and control access to servers. “A patch that detects the worm was released by the manufacturer on Friday, but it wasn’t available early enough for us to apply it and prevent the attack,” says Laura Patterson, associate vice president, Michigan Administrative Information Services (MAIS).

Work on the affected servers is in progress, and IT staff in Business and Finance expect complete restoration of all systems. As of the Record deadline most systems affected were functioning, but not all data had been restored.

Patterson says some e-mail sent to Business and Finance units during the period of March 20-23 may not have reached its destination, although it appears that much of the mail was delivered when the servers came back online about 3 a.m. March 24.

Staff most affected were those in Financial Operations; Purchasing and Stores; Treasury and Risk Management; Financial Analysis; Payroll; Human Resources and Affirmative Action; Plant Extension; Plant Operations; Occupational Safety and Environmental Health; Investments; MAIS; plus the associate vice presidents for Finance, Human Resources and Business Operations, as well as the Office of the Executive Vice President for Finance and Chief Financial Officer.

“It does not appear that other units on campus were severely affected by this attack,” Patterson says. “Servers that store the University’s M-Pathways systems and other administrative data also were not affected.”

Unlike other recent Internet worms, Witty does not show up in e-mail boxes as a file with an attachment. The virus seeks out systems running the BlackICE product, then infects and runs in the computer’s memory. It then attempts to contaminate 20,000 random Internet hosts, causing a network denial of service. It also fills random sections of the local hard drives with junk.

When the computer is rebooted or crashes, it cannot function because of the damaged files. System administrators usually can restore the data, but it is a time-consuming process. Anti-virus software on the servers was unable to detect the worm because the intrusion came before the vendor had released an update intended to stop Witty.