Skip to end of metadata
Go to start of metadata

Anti-virus response center.

Useful links

Current Activity:

Friday, April 11, 2008 - Threat from pdf files via email

Similar to the spearphishing attack of April 1, there is currently a threat from emailed PDF (Adobe Acrobat) files. Please use caution when opening these files from email - if you were not expecting the file check with the sender. This threat is for PC (Windows) users only.
 
You can also help reduce the risk by keeping your Adobe products up to date - programs have security holes just like operating systems do. To check for updates, open Adobe Reader on your computer. Go to the help menu and select Check For Updates.
 
If you have an Adobe Reader that is less than version 8, you may have to upgrade manually. Go to www.adobe.com and click the "Get Adobe Reader" button. We recommend you uncheck the option for the Google toolbar.

Tuesday, April 1, 2008 - "Verify your account" spearphishing email

On April Fool's Day, the campus was barraged with a type of email scam called "spearphishing" - similar to regular phishing scams, but targeted for groups with some form of personal information in it. In this case the email appears to be from the "williams.edu team". The emails reached many people on campus and requested that you reply with your username, password, date of birth and "country or territory".

The email should be ignored and deleted. The Office for Information Technology will never ask for your password by email. Also, all official communication will have the subject line of "OIT Eph Notice DD/MM/YY". This is to prevent this exact type of scam from fooling anyone.

If you did respond to the email with any account information, you should do two things - call the helpdesk at x4090 to let us know, and change your password now by going to http://oit.williams.edu and click the change my password link.

Fri, Mar 14, 2008 - Viruses delivered via e-card

On Tuesday and Wednesday the site www.flashfunpages.com was delivering a virus to people who visited one of their e-cards. Fortunately the virus was a non-destructive one. We anticipate the browsing and downloading of e-cards to be one of the most likely ways you will get a virus in the future.

Everyone has received an e-card from a friend or relative. Normally it is an email that has a link to a web site. Following the link pulls up some cute picture of animation. We always suggest checking with the sender to see if they really sent it because From addresses in email are easily spoofed. Even then, if the site asks you to download or install something - that is the time to pause and say hmmmm.

Some sites do require Flash or Shockwave to run but if you really need them you should go to adobe.com and get the legitimate versions. If a site asks you to download or install an .exe file then just leave. Once you run an .exe file on your computer, anything can happen - your data files can be deleted, your computer could be accessed remotely by someone looking to steal passwords or personal information, or the word, excel and image files on the computer can be emailed out to every person in your address book...seriously.

The people who got infected on Tuesday had up to date anti-virus scanners and anti-spyware running, but this virus was so new it was not detected as a threat. Today the virus detector catches and blocks it. That lag will always be a possibility. When in doubt you can always send your e-card to desktop@williams.edu and we'll check it for legitimacy. Computer security and safety is everyone's responsibility. You need to be cautious about what you run on your personal or college computer, as mistakes in judgment can impact the entire community.

Jan 1, 2006 - Microsoft Security Advisory (912840)

http://www.microsoft.com/technet/security/advisory/912840.mspx

There is currently an exploit in the wild (on the internet) targeting Windows PCs. Specially designed WMF files can compromise a PC (these can also be disguised as .jpg files). No official Microsoft patch has yet been announced.

Note that this exploit can infect PCs with fully patched Windows XP with the latest updates.

A computer can be infected by simply browsing a bad web site or by opening an email with a .jpg file attached. We acknowledge it is very difficult to avoid either of these situations, so caution and common sense are required. Recommended precautions:

1. Do not open .WMF files.
2. Avoid untrusted web sites.
3. Use a browser other than Internet Explorer when possible, especially when browsing untrusted sites, until Microsoft fixes this vulnerability. Most other browsers like Firefox will prompt the user before downloading and displaying the WMF image file.

October 28, 2005 - AIM viruses

AOL Instant Messenger:

You all use it - do you realize its much easier to get a virus via AIM than via email?

Recently we have seen many cases of the W32/Rbot-ATH (Opanki) virus. It infects your computer, then sends itself out to all the buddies in your buddy list. Your buddies then receive the message from YOU which says "check this out, is that you?". They click on the link and then get infected themselves.

Since AIM file transfers are direct from computer to computer we have no way to block the virus from getting to you. At least with email we scan all attachments and block harmful types like .exe. With AIM the level of protection works like this: 1. your common sense 2. the anti-virus program on your computer. That's the list.

August 22nd - Esbot and Zotob viruses
These are worms that infect computers which do not have the Windows plug and play vulnerability patch.

Typically you would get infected if you were not running a firewall (Windows 2000 does not) and you were not up to date on Windows critical updates. There are two removal tools that can be run to delete the virus and repair the damage.

May 16th, 2005 - Sober virus

Troj/Sober-Q is a mass mailing spamming Trojan for the Windows platform.

Infected computers send out spam, either in German or English

We do not believe there are any infected computers on campus, but you may be getting false rejection messages. An infected computer can use your email address as the reply-to field. When the spam is bounced back, you would get the message that your email was undeliverable.

Unfortunately there is not much we can do to stop these false messages. Please make sure your anti-virus software is up to date (for PCs). If you use Sophos, check the blue flower icon in your taskbar. If it has a red line through it, then there may be a problem. Contact the faculty / staff support helpdesk at x4090 or the student support desk at x3088.

Friday, March 11th, 2005 - W32/Doxpar-B

The virus was causing significant problems on our network, creating slowdowns for all users and interrupting some services.

We have received updated virus definition files from Sophos so if you are running an up to date version of Sophos you are protected from a new infection. If your computer is already infected we will locate it, isolate it from the network, and contact you for disinfection and patching.

Doxpar (a.k.a Poxdar) is a network-aware worm that has distributed denial of service and back door capabilities. The worm spreads by exploiting vulnerabilities in Windows. The virus is affecting PCs (not Macs) which have not had all security patches from Microsoft installed. For Windows-XP this means any computer that does not have Service Pack 2. An infected machine does three things:

  • launches Denial Of Service attacks against a number of banking websites
  • Attacks any web servers that it can find on the local network
  • Tries to propogate the infection to other vulnerable computers

All three of these things are done simultaneously and with such rapidity that the infected machine is running at 100% capacity and other computers on our network that are under attack have difficulty responding to anything else.

March 4th, 2005 - Troj/BagleDl-M

The virus was coming through as an email attachment for a brief period around 2pm on Friday. The attachment would be a .rar file with an executable file inside called "dddd.exe".

We started blocking .rar files on our mail server as soon as we saw the first infection. We are now scanning the network for infected computers (they send out obvious network traffic) and will contact individuals as necessary.

Our Sophos anti-virus is now blocking the virus, so future infections will be prevented.

Remember you should never open an attachment if you don't know who it is from, and more importantly, why you receieved it.

Feb 16, 2005 - MyDoom - O

Mydoom - O comes through as an email with this format:

----------------
Dear user (email address)
Your email account was used to send a large amount of unsolicited commercial e-mail during the last week. Probably, your computer was infected and now runs a trojan proxy server.
We recommend that you follow our instruction in the attachment in order to keep your computer safe.
Have a nice day, The williams.edu team.
-----------------

There would be a file attached like "message.zip"

Related to this will be incorrect bounce-back messages indicating your email address sent the virus attachment. These would have the form:
-----------------
"Removed Attachment.txt"
with a message along these lines:
This attachment contained a virus and was stripped.
Filename: message.zip
Content-Type: application/octet-stream
Virus(es): W32/MyDoom-O
------------------

This is not true. Its just that the reply-to address was spoofed and the remote email server has an automated bounce message for viruses (we do not do this for exactly this reason).

It is possible you may find emails of this type in your inbox Wednesday evening or Thursday morning. They would have to have been sent on Wednesday afternoon / early evening. Please delete these emails and you will be fine. If you did open up the .zip file there is a removal tool listed here which should fix the infection.

Please also remember that all official warning messages from OIT will have the subject:

OIT Eph Notice mm/dd/yy subject

November 8th, 2004 - MyDoom.ah

W32.Mydoom.AH@mm comes through as a "PayPal" email or a webcam email. There is a web link in the email, if a user clicks on it and Internet Explorer opens to view the web page, infection is possible. It is a mass-mailing worm which exploits the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (BID 11515). It also spreads by sending itself to email addresses it finds in the Windows address book.
If you do not click on the links you will not become infected. Windows XP Service Pack 2 is not vulnerable. Our authenticated SMTP requirement should prevent any emails from going out from infected machines on campus.

Please delete the emails you receive and treat any email from eBay or PayPal with skepticism as they are frequent targets of spoofing.

Sept 1st, 2004 - Korgo

Korgo is a network type virus, similar to Sasser in that it exploits the Microsoft Windows LSASS vulnerability. We are scanning the network now for traffic on port 445 which would indicate infection.
Symantec has provided a removal tool: FixKorgo

August 26th, 2004 - MyDoom.N

MyDoom.N was getting through our newly configured mail servers Thursday night and Friday morning. It would be an email with a suspicious attachment. The from address was always spoofed, meaning it could appear to come from postmaster@williams.edu. The virus does not do serious damage although it does open a backdoor on an infected computer which could then be used to compromise the system.
August 9th - Bagle.AQ - Bagle AQ was getting through our server for an hour and a half on Monday afternoon. The virus attachment would be a .zip file usually with the name "new price". The sender was always spoofed so it would often appear to come from someone you know. On Monday afternoon we started blocking all .zip files. On Monday night our Anti-virus provider has a definition to block it.
McAfee has provided a removal tool: Stinger

July 19th, 2004 - Bagle.Ai

Bagle Ai is the latest of the many Bagle variants. It was getting through our mail server for a few hours on Monday. The virus attachment would be a password protected .zip file. The sender was always spoofed meaning it would appear to come from someone you know.

June 7th, 2004 - Sasser Worm

W32.Sasser.Worm is a network virus. It does not use email to spread. It attempts to exploit a vulnerability in Microsoft's operating systems, but if your computer has all the required critical updates as of April 10th you would be safe. If not, you can install the appropriate Microsoft patch (MS04-011) for
Windows 2000 or Windows XP

One recommendation from AV companies is to Block TCP ports 5554, 9996 and 445 at the perimeter firewall, which we have done. Symantec has a removal tool as well which fixes variants a through e.

APRIL 26, 2004 - Bagle-W

An email virus that often appears to come from an @williams.edu address. The attachments vary in name and extension. We have seen .exe, .vbs, .cpl, .com and password protected .zip files. The subject lines also vary. The virus hit us hours before Sophos or Symantec has any information about it, but as of 2pm on Monday Sophos had IDE files to block it at the server.
The virus spawns a process called drvsys and mails itself out to addresses found on an infected computer.

Symantec now has a removal tool which will stop the viral service, fix the registry and delete the viruses from the harddrive.

APRIL 20, 2004 - Netsky (X, Y)

An email virus that has a consistent subject of "Delivery failure notice (ID-0000xxxx)". The attachment is a .com file. The virus is non-destructive, but does create a security hole and floods the network with traffic.

APRIL 2004 - GAOBOT / AGOBOT / POLYBOT
A network virus that attempts to spread through network shares that have weak passwords and are missing Microsoft Critical Updates. There are at least 12 variants of this virus. It also allows attackers to access an infected computer through a predetermined IRC channel. Although this virus does not do any real damage it is flooding our network with unwanted traffic. We will be attempting to isolate any computers we detect as infected.

APRIL 9, 2004 - NACHI / WELCHIA B
We are seeing some infections of a virus that Sophos calls Nachi-b. We have put the removal tool in the Novell Netware login script so that it will run if your computer is infected. For home computers or for machines without Netware the removal tool is below.
Symantec Fixtool - Nachi/Welchia

MARCH 18th, 2004 - BEAGLE / BAGLE - R, S, T VIRUS
The virus starts as a blank email. Hidden in the message is HTML code which connects to an infected machine on the internet and downloads the virus to your machine. We are blocking the port which the virus comes in on, so from about 1pm Thursday it should not have been possible to get infected. Folks who viewed these messages before then may be infected. Your computer will behave erratically if so. We will search for infected machines on the network and contact you if necessary.
As of 11:30 on Friday we are also blocking the blank emails which were the "carriers" for the virus.

MARCH 13th, 2004 - NEW VARIANT OF BEAGLE / BAGLE ON CAMPUS - Beagle / Bagle M / Bagle-Zip
The virus comes in as a password protected zip file. As of 11am 3/14 our mail server is blocking it. The message may appear to come from the "williams.edu" team. Rest assured we will never send attachments out via email to the community. You may have the virus in your inbox but to get infected you would have to download the zip file, extract it using the supplied password, then run the .exe file inside it. If you delete the emails you will be fine. There is a Symantec removal tool for all versions of the virus besides N, M, O and a removal tool specifically for N, M, O. There is a McAfee removal tool for versions up to M/N (much larger file).

FEB 25th, 2004 - NEW VIRUS ON CAMPUS - Netsky
The virus is non-destructive and we are now blocking it. There is a removal tool for all versions of Windows. It is worthwhile to run the removal tool because the virus does leave a security hole which this fixes.

JAN 27th, 2004 - VIRUS ON CAMPUS - MyDoom / Navorga
The virus is non-destructive and we are now blocking it. There is a removal tool for all versions of Windows. It is worthwhile to run the removal tool because the virus does leave a security hole which this fixes.

Symantec MyDoom removal tool - MyDoom Fix

SEPT 10th, 2003 - SECURITY HOLE IN WINDOWS
On September 10th a new hole in the Windows operating systems was discovered. Microsoft is recommending that all users of Windows NT, 2000, and XP install a patch to protect their systems. The patches are linked locally below, please download and install them now. We have a small windows of opportunity here to patch computers at Williams before someone writes a virus to exploit the hole.
Sept. 10 security patches for - Windows XP and Windows 2000

SEPT 2nd, 2003 - VIRUS ON CAMPUS - Nimda A/E
As of September 2nd we are seeing some Nimda variant A and E infections on Student computers. We are providing the Symantec fix tools as a service, although it is not necessary to run the tools if you do not know you are infected.
Symantec FixNimda tool - FixNimda A and FixNimda E

WELCHIA AND BLASTER VIRUS/WORM
Student computers in particular which did not have the Microsoft patch installed may now be infected. Please download the Blaster patch and run the installer. Then reboot and run the FixWelch.exe and FixBlast.exe tools to check for, and if necessary, remove the virus. Apple and Windows 98 computers are not vulnerable.

Labels: