A week after the debut of the virulent e-mail virus known as Sobig.F, college-network administrators are still working overtime to shore up their defenses against it and two fast-spreading Internet worms. The administrators say the attacks on their systems couldn't have come at a worse time.

With students arriving for the fall semester, most colleges have not yet tallied up the cost of Sobig.F and the two worms, called Blaster and Nachi. But the cleanup expenses are certain to be a blow to already strained college budgets.

"I haven't done the arithmetic -- I would love to do it, but I don't have time to do it right now," said Ann E. Stunden, chief information officer at the University of Wisconsin at Madison, which was one of the campuses hardest hit last week.

For two weeks, technicians on most campuses have been kept busy scanning their networks to find computers infected with the malicious codes. They have also been downloading new virus signatures and security patches, treating infected machines, warning users to take precautions, and even temporarily blocking access to campus networks.

While most colleges appear so far to have avoided disastrous consequences from the attacks, security experts are warning that Sobig is still a danger and could play a role in a future attack designed to take down large portions of the Internet. Many experts say they have never seen a virus spread faster than Sobig.F.

Last week, colleges all over the nation reported unprecedented spikes in e-mail traffic and in the number of messages containing Sobig.F. Its telltale subject line contains the words "Re: Details," "Re: Approved," "Re: That Movie," or one of six other similar headings. Users unwittingly download the virus onto their computers if they follow the message's instructions -- "See the attached file for details" -- by opening the attachment.

At Madison, about 2,200 out of 60,000 university-owned computers were infected with the Sobig.F virus before technicians were able to begin filtering incoming e-mail to block it.

The virus hit the campus's main e-mail server two hours before the software vendor released a security patch to protect it. "We had the patch up in 20 minutes after we got it," Ms. Stunden said, but not before the computers had been infected. And once it infected the machines, the virus sought out their address books and began sending out multiple e-mail messages containing copies of itself.

Ms. Stunden called an emergency meeting of the campus's 300 technical-staff members, who spent an hour and a half figuring out how they would clean up the infected machines. Doing so required someone to sit down at each machine and go through a series of steps to disinfect it. Including the technician's travel time, the process could take up to an hour per machine.

As late as Friday afternoon, Ithaca College had to disconnect its residence-hall network to prevent worm-infected computers from crippling the entire campus network. Over the weekend, the college gave out CD's containing everything that students, who were still arriving on the campus, would need to clean up and patch their own computers.

The college is still scurrying to buy additional fire-wall equipment to deal with the Blaster and Nachi worms, said Ed Fuller, director of information technology services. The cost will be $15,000 to $20,000 "in hard dollars," he said.

At the peak of the Sobig.F virus outbreak last week, the University of North Carolina at Chapel Hill was filtering more than 100,000 infected messages out of its incoming mail every hour. In 12 hours, the university filtered 1.5 million copies of the Sobig virus, said John L. Oberlin, associate vice chancellor for information technology.

The trouble produced by the recent attacks was enough to push the Chapel Hill campus into buying several intrusion-prevention systems, at a cost of $50,000 each. University technicians had been evaluating the latest generation of the equipment when the viruses and worms hit. "We bought a couple of additional ones when they turned out to be so effective," Mr. Oberlin said. Unlike fire walls, which must be configured in advance to block specific kinds of network activity, intrusion-prevention systems are designed to analyze incoming network traffic in real time and instantaneously block malicious code attacks -- even those that have not been seen before.

The Pima County Community College District, in Tucson, took its entire network down on Wednesday afternoon so that technicians could clean up from the Nachi worm. It and the related Blaster worm infect Windows computer systems that have not applied a new security patch that Microsoft issued on July 16. Unlike a virus, which typically depends on a user's opening an attached file, a worm can spread unaided from machine to machine by taking advantage of weaknesses in operating systems.

"Nachi generated so much internal traffic it overwhelmed our network," said Ann Strine, assistant vice chancellor for information technology at the community-college district. The network was back up at 8 the next morning, she said, providing critical registration and financial-aid services. She hasn't had time to tally up the overtime hours involved. "It will be $2,000 or something" -- which is not much, she said, compared with the inconvenience the outbreak has caused.

By 10 a.m. Wednesday, the University of Notre Dame had detected and removed 120,000 copies of Sobig.F. In a 36-hour period, messages containing the virus caused an 80-percent increase in incoming e-mail.

Like most institutions hit by the latest attacks, Notre Dame has not yet analyzed their cost. And some measures the university has taken to defend itself are only temporary fixes, said Gordon D. Wishon, the chief information officer.

Notre Dame currently is blocking one kind of traffic between its residence-hall network and the campus network, as well as between the campus network and the Internet, Mr. Wishon said. But blocking that traffic disables legitimate network services, including a service that technicians use to manage campus networks.

The University of Vermont reported removing Sobig.F from 45,000 e-mail messages by midday Wednesday, but no machines were infected, said Roger A. Lawson, director of computing and information technology at the university. Administrators are focused now on dealing with the 4,000 computers that students will bring to campus when they arrive on Friday. "We're anticipating the great majority of those will be vulnerable to Blaster," Mr. Lawson said.

"The biggest cost is it's just consuming the staff at a time when they ought to be doing something better," including setting up software and computers for the start of classes. "Those things are suffering because of this."

The weekend passed without further incidents caused by Sobig.F, possibly because law-enforcement officials and security experts had deciphered its code enough to take preventive action.

According to senior officials at the Symantec Corporation, which makes antivirus software, federal law-enforcement officials located and apparently shut down all but one of 20 computers that infected machines had been instructed to contact, presumably to download additional code. The downloads were programmed to occur between 3 and 6 p.m. EDT on Friday and on Sunday. The only one of the 20 servers that was not shut down by Friday afternoon was directing infected computers to a site that contained pornography but no malicious code.

Because of the time-specific threat, Symantec officials had upgraded their assessment of the Sobig.F threat from Category 3 to Category 4, with Category 5 being the highest threat level.

Security experts who have examined the Sobig.F code say that on September 10 the virus is programmed to stop spreading itself. But they also warn that infected computers will still attempt, beyond that date, to connect to the 20 machines.

The Sobig virus first appeared in January. Sobig.F represents the sixth variant that the virus writer, who has not been caught, has released on the Internet. Sobig, Blaster, and Nachi target Microsoft Windows computers but not computers running the Macintosh, Linux, Unix, or other operating systems.