Penn State Intercom......January 30, 2003

Patch would have prevented
computer worm infection

By Annemarie Mountz
Public Information

Problems caused by a computer worm that infected computers worldwide and caused a major slow-down of the University's backbone for a short time over the past weekend were preventable, according to University experts.

"The worm attacked a flaw in Microsoft SQL Server environments for which fixes had been identified several months ago. Had everyone around the world installed the patch when it was put out by Microsoft, the worm would not have found host computers," said Gary Augustson, vice provost for information technology.

"The most important thing to realize with this is that it was totally preventable," he said. "Obviously, we can't control the actions of people around the world. However, it is critically important for everyone at this University -- faculty, staff, students and administrators -- to take the same personal interest in the readiness and security of their networks as they do for their other critical resources."

The worm, dubbed "SQL Slammer" generated massive network traffic, overloading Internet servers worldwide.

According to Kathy Kimball, director of computer and network security, only a few dozen or so of the more than 90,000 computers connected to the University backbone were infected.

"A small number of computers were infected, but they generated a debilitating amount of traffic over the network," she said.

Telecommunications and Networking Services (TNS) coordinators were on site by 3 a.m. Saturday, diagnosing the source of the problem. They installed a filter on UDP Port 1434, the port targeted by the worm, and they were able to restore core data backbone stability by about 11:30 a.m. Saturday. Internet connectivity was restored by about 1:30 that afternoon. TNS coordinators and other employees in Information Technology Services (ITS) remained on site through the weekend, working with the Security Office to identify networks that were infected and isolate them from the data backbone.

Those with infected computers must use an uninfected computer to download the patch from Microsoft's Web site. A Microsoft bulletin at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp gives details.

"Once the patch is installed and run, and the computer is rebooted, the network contact can call the security office at (814) 863-9533 or e-mail security@psu.edu to get network connectivity restored," said Kimball.


Annemarie Mountz can be reached at AMountz@psu.edu.

Back