Latest Virus Threat

Latest Virus Threat

Major Professors: Please communicate the importance of adequate virus protection to all of your Graduate Students who have PCs (Personally and state owned) connected to the ESF Campus Network. Thank you.

There are currently no reportable outbreaks in progress on Campus.

Past threat issues:

4/14/05: Hacktool.Keylogger

2/17/05: W32.Mydoom.AX@mm

1/27/05: W32.Beagle.AZ@mm

8/9/04: W32.Beagle.AO

7/26/04: W32.Mydoom.M@mm

7/19/04: W32.Beagle.AG

5/3/04: W32.Sasser.Worm

3/26/04: W32.Beagle.U

3/18/04: W32.Beagle.O thru T and W32.HLLW.Gaobot

3/3/04: W32.Beagle.J and K (Updated 3/24/04)

2/25/04: W32.Netsky.C

1/26/04: W32.Novarg.A@mm (aka W32/Mydoom@MM) (Updated 1/30/04)

10/31/2003: W32.Mimail.C@mm

10/7/2003: Trojan.Qhosts (aka QHosts-1)

9/22/2003: W32.Swen.A@mm Worm

9/2/2003: W32.Dumaru@mm Worm

8/19/2003: SoBig Worm

8/12/2003: MS Blaster Worm (Updated 1/15/04)

4/14/05:

What is being reported on Windows XP systems as Hacktool.Keylogger is a FALSE POSITIVE. THERE IS NO THREAT FROM THESE SPECIFIC WARNINGS ONLY:

Reported symptoms: PC appears to run slowly, Symantec Antivirus 9.0 or Norton Antivirus 7.6 pop-up Antivirus Notifications.

Affected Systems: At this time, only Windows XP Service Pack 2 appears to report the problem.

Solution: (Read both steps completely)

Step 1:

You must install the latest Virus Definitions as follows:

	Click here to start the Virus Definition installation process.
	When prompted, choose 'Run' and then 'Run' again.
	You will be asked: 'Do you want to update your virus definition files?' You should answer 'Yes.'
	The update will proceeded. When it complete, click 'Ok' to complete the process.

You should confirm that the virus definition date and revision are at least 4/14/05 rev. 8 BEFORE YOU REBOOT YOUR PC. Please check both the date and the revision number. It may take several minutes for the definition date to correctly register. If your virus definitions are 4/14/05 rev. 1, you have not waited long enough and should continue to wait until they are at least 4/14/05 rev. 8 or higher. As an example, a virus definition date and revision of 4/15/05 rev. 5 is better (higher) than 4/14/05 rev. 8.

To check your virus definition status, double-click on the gold shield in the system tray near the clock in the lower-right hand corner of your desktop. Your virus definition status should be displayed as follows :

Reboot your PC.

Step 2:

You may see the following message when your PC restarts:

If you do, it means that the Antivirus program has deleted files that Windows needs to operate properly and they must be replaced. Even if you do not see this message after rebooting your system, you should complete Step 2.

If you see the above message, click 'Cancel' then 'Yes' to clear the message, then click on the following link and choose 'Run' and then 'Run' again when prompted: Replace deleted Windows System Files. You will see a brief flash as the deleted files are restored. There will be no prompt when the process is complete.

Reboot your PC.

When your PC is finished starting, you should not see the above Windows File Protection error.

Major Professors: Please share this information with students that have PCs on the ESF Campus Network.

2/17/05:

W32.Mydoom.AX@mm: This new MyDoom Worm arrives via email from a Spoofed sender with an attachment and a wide variety of subjects.

If you think that you have been infected by this Worm, please click here to download a tool that will remove this infection.

The spoofed ‘senders’ that have been reported to CNS are as follows:

"Mail Administrator" postmaster@syr.edu

"Mail Administrator" postmaster@esf.edu.

Please note that neither SU nor ESF will send messages from ‘postmaster’ to users with attachments.

The Body of affected email messages will contain a message similar to the following:

“We have found that your e-mail account has been used to send a huge amount of junk email during the last week.”

The messages are signed with one of the following:

“The syr.edu support team” or “The esf.edu support team.”

The ESF Email System was not able to recognize this threat when it first appeared on Campus. As a result, email received through the ESF and SU email systems during this period were not being checked for this threat and could be affected.

If you receive any email messages meeting the above description, please delete them immediately without opening the attached file.

For more information about this threat, click here.

1/27/05:

As of 1 pm on 1/27/05, the ESF Email System and the ESF desktop version of Norton Antivirus have been able to recognize this threat.

There is a new Worm infecting PCs on the ESF Campus today. This new Beagle Worm (W32.Beagle.AZ@mm) arrives via email from a Spoofed sender with the following characteristics:

Attachment:

	Jol03
	guupd02
	siupd02
	upd02
	viupd02
	wsd01
	zupd02

Followed by one of the following extensions:

	.com
	.cpl
	.exe
	.scr

Subject:

	Delivery by mail
	Delivery service mail
	Is delivered mail
	Registration is accepted
	You are made active

Body:

	Before use read the help
	Thanks for use of our software

Do not open any email messages with the above characteristics.

8/9/04:

There is a new Worm infecting PCs on the ESF Campus today. This new Beagle Worm (W32.Beagle.AO) arrives via email from a Spoofed sender with an attachment as follows:

	price.zip
	price2.zip
	price_new.zip
	price_08.zip
	08_price.zip
	newprice.zip
	new_price.zip
	new__price.zip.

Please do not open these attachments.

The ESF Email System is now able to recognize this threat (as of 8:00 pm on 8/9). As a result, email received through the ESF email system prior to this time was not checked for this threat.

For further information, please click here.

7/26/04:

SU has reported this threat as a new version of Beagle Worm, but the ESF Norton Antivirus software detects it as W32.Mydoom.M@mm. Regardless of its current name, it is an email Worm with the following general characteristics:

From: <spoofed>

Subject: (One of the following)

	say helo to my litl friend
	click me baby, one more time
	hello
	error
	status
	test
	report
	delivery failed
	Message could not be delivered
	Mail System Error - Returned Mail
	Delivery reports about your e-mail
	Returned mail: see transcript for details
	Returned mail: Data format error

Body: The message body will be as follows, where one of each phrase/word in brackets will appear:

Dear user {[To address of mail]|of [domain of To address]},{ {{M|m}ail {system|server} administrator|administration} of [domain of To address] would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||} {We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week. {We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server. {Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe. {{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day}, {[domain of To address] {user |technical |}support team.|The [domain of To address] {support |}team.}

{The|This|Your} message was{ undeliverable| not delivered} due to the following reason{(s)|}: Your message {was not|could not be} delivered because the destination {computer|server} was {not |un}reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.

Your message {was not|could not be} delivered within [random number] days: {{{Mail s|S}erver}|Host} [host used to send mail] is not responding. The following recipients {did|could} not receive this message: <[To address of mail]> Please reply to postmaster@{[domain of From address]|[domain of To address]} if you feel this message to be in error. The original message was received at [current time]{ | }from {[domain of From address] [[host used to send mail]]|{[host used to send mail]|[[host used to send mail]]}} ----- The following addresses had permanent fatal errors ----- {<[To address of mail]>|[To address of mail]} {----- Transcript of {the ||}session follows ----- ... while talking to {host |{mail |}server ||||}{[domain of To address].|[host used to send mail]}: {>>> MAIL F{rom|ROM}:[From address of mail] <<< 50$d {[From address of mail]... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <[To address of mail]>... {Mail quota exceeded|Message is too large} 554 <[To address of mail]>... Service unavailable|550 5.1.2 <[To address of mail]>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service unavailable; [[host used to send mail]] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|} Session aborted{, reason: lost connection|}|>>> RCPT To:<[To address of mail]> <<< 550 {MAILBOX NOT FOUND|5.1.1 <[To address of mail]>... {User unknown|Invalid recipient|Not known here}}|>>> DATA {<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output |}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed |}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded |}<<< 400}|} The original message was included as attachment

{{The|Your} m|M}essage could not be delivered

Attachment: (One of the following)

	readme
	instruction
	transcript
	mail
	letter
	file
	text
	attachment
	document
	message

with one of the following extensions: cmd, bat, com, exe, pif, or scr

If your virus definition date is not at least 7/26/2004 rev. 23, please click here to download and install the latest virus definitions. When prompted, choose 'Open' or 'Run' to install this update directly.

Determining your virus definition version: Double-click on the Norton Antivirus Corporate Edition Shield in your system tray (area on the Task Bar next to the clock). In the lower right-hand corner of the resulting window, next to the LiveUpdate button, you will see the virus definition version.

7/19/04:

For interested parties: Beagle article with details on how this Worm spreads.

W32.Beagle.AG has been identified as an issue on the ESF and SU Campuses.

The Beagle line of worms are spread via email. A message with an attachment infected with version AG of Beagle has the following specific characteristics:

From: <spoofed>

Subject: Re_

Body:

	foto3 and MP3
	fotogalary and Music
	fotoinfo
	Lovely animals
	Animals
	Predators
	The snake
	Screen and Music

Attachment: (One of the following)

	Cat
	Cool_MP3
	Dog
	Doll
	Fish
	Garry
	MP3
	Music_MP3
	New_MP3_Player

Attachment extension: (One of the following)

	.exe
	.scr
	.com
	.cpl
	.zip (this will be password protected)

NOTE: Beagle AG attempts to stop/disable common antivirus, firewall, and anti-spyware software. If you have been infected with this worm, software of these types will need to be repaired or reinstalled.

If your virus definition date is not at least 7/19/2004 rev. 36, please click here to download and install the latest virus definitions. When prompted, choose 'Open' or 'Run' to install this update directly.

5/3/04:

Multiple versions of the W32.Sasser worm have been identified on the ESF and SU Campuses.

Sasser is not spread via email, but through network connections and affects system running Windows 2000, Windows XP, and Windows 2003 server.

Protecting your system from the Sasser worm:

Run Windows Update. Even if you do not have one of the affected Windows Operating System versions, you should run Windows Update and receive any critical updates. For information on receiving Critical Updates from Windows Update, please click here.
Make sure that your Norton Antivirus Definition date is 5/3/04 rev. 24 or later. If your PC has not yet received the latest update, please click here to download and install the Norton Antivirus updates manually. NOTE: Please do not rely on Antivirus software alone. You must update your system to ensure more complete protection (see number 1 above).

Determining your virus definition version: Double-click on the yellow Norton Antivirus Corporate Edition Shield in your system tray (area on the Task Bar next to the clock). In the lower right-hand corner of the resulting window, next to the LiveUpdate button, you will see the virus definition version.

Symptoms of infection may include:

Slower than normal system performance or network access.
You have difficulty performing a shut-down or restart of your PC (i.e. the PC seems to ignore your instruction to shut-down or restart).

Further information and Removal:

	For information on this threat (W32.Sasser.Worm versions A - C) from Symantec, please click here.
	To obtain the Symantec Sasser Removal tool, click here. (This tool removes Sasser versions A - C)
	To see detailed information about the removal tool, click here.
	NEW: Stinger virus removal tool from Network Associates. Go to this site to download the latest copy of the Stinger tool. Stinger removes multiple virus threats (see site for a complete list).

3/26/04:

W32.Beagle.U has been identified as an issue on the ESF and SU Campuses.

If your virus definition date is not at least 3/26/2004 rev. 7, please click here to download and install the latest virus definitions. When prompted, choose 'Open' or 'Run' to install this update directly.

3/18/04

W32.Beagle version O thru version T and W32.HLLW.Gaobot.RF affecting systems on the ESF Campus today. Please check your Virus definition date. The definition version should be 3/18/04 rev. 17 or later. If not, run LiveUpdate immediately.

3/3/04

Beagle (also known as Bagle) exists now in versions A through K. The two most recent versions are J and K. See below for a tool to remove this infection. If you are uncertain whether you are infected or not, please run the removal tool or call us and we will assist you.

PLEASE DO NOT OPEN ANY EMAIL MESSAGE WITH ATTACHMENTS CLAIMING TO COME FROM:

management @ esf.edu
administration @ esf.edu
staff @ esf.edu
noreply @ esf.edu
support @ esf.edu

A typical email from this worm will appear as follows:

Hello user of Esf.edu e-mail server,

Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.

For details see the attach.

For security purposes the attached file is password protected. Password -- [Removed]

Best wishes,
The Esf.edu team

Other versions of Beagle use 'spoofing' to determine the apparent sender and the recipient.

	For information on this threat (W32.Beagle.J) from Symantec, please click here.
	To obtain the Beagle Removal tool, click here. (This tool removes all current versions of the Beagle worm)
	To see detailed information about the removal tool, click here.

2/25/04

Netsky.C was discovered on 2/24/04 and first appeared on the ESF and SU Campuses on the morning of 2/25/04. Between the time it first appeared and approximately 1:30 pm, this threat was not filtered from email arriving at the ESF and SU mail servers.

Please check your Virus Definition date by double-clicking the Norton Antivirus shield in the lower right-hand corner of your desktop. If the date to the left of the LiveUpdate button is before 2/25/04, please click the LiveUpdate button to receive your update immediately.

The ESF and SU email servers have been protecting against this threat since approximately 1:30 pm on 2/25/04.

NOTE: This worm 'spoofs' the address that recipients see on the 'From' line of email messages.

Spoofing:

Some users may be receiving warnings from Postmaster @ esf.edu, a postmaster at another domain, or other users regarding potential problems with their system or email as a result of this or other Worm. Please note that this Worm will 'spoof' the sender's address and, therefore, these warnings may be falsely identifying you, as the recipient of such a warning, as infected. Spoofing occurs when a random entry in an address book (on the infected machine) is selected by the worm to act as the 'sender.'

	For information on this threat from Symantec, please click here.
	To obtain the NetSky Removal tool, click here. (This tool also removes NetSky.B)
	To see detailed information about the removal tool, click here.

1/26/04

Mass emailing Worm (W32.Novarg.A@mm aka MyDoom)

A Novarg (aka MyDoom) removal tool is now available. Please see below for details. If you think you may be infected, please download and run this tool on your PC.

General Information:

Novarg (MyDoom) was discovered on 1/26/04. Please check your Virus Definition date by double-clicking the Norton Antivirus shield in the lower right-hand corner of your desktop. If the date to the left of the LiveUpdate button is before 1/26/04, please click the LiveUpdate button to receive your update immediately.

If you have difficulty running a virus scan or have not automatically received anti-virus software updates, please contact us immediately.

The ESF email server was protecting against this threat on 1/26/04.

Some users may be receiving warnings from Postmaster @ esf.edu, or another domain, regarding potential problems with your system or your email. This Worm will spoof the sender's address and, therefore, these warnings may be falsely identifying you, as the recipient of such a warning, as infected. Spoofing occurs when a random entry in an address book (on the infected machine) is selected by the worm to act as the 'sender.' If you are receiving Postmaster or Administrator warnings (or complaints from other users), it is likely that your address is being used as the spoofed 'sender.' To be certain that your PC is free of infection, please run a complete system scan as soon as possible or obtain the removal tool available below.

If infections are not located and cleaned before 2/1/04, infected machines will begin flooding the ESF Campus Network with the purpose of disrupting systems both here and at the destination domain: sco.com

Typical message subject: Varies

	test
	hi
	hello
	Mail Delivery
	System Mail Transaction Failed
	Server Report
	Status
	Error

Typical message body: Varies

	Mail transaction failed. Partial message is available.
	The message contains Unicode characters and has been sent as a binary attachment.
	The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Typical attachment: Varies

	document
	readme
	doc
	text
	file
	data
	test
	message
	body

The attachment may have two suffixes. If so, the first suffix will be one of the following: .htm, .txt, or .doc. The worm will always end with one of the following suffixes: .pif, .scr, .exe, .cmd, .bat, and .zip.

	For information on this threat from Symantec, please click here.
	Woody's WINDOWS Watch article on Novarg
	To obtain the Novarg Removal tool, click here.
	To see detailed information about the removal tool, click here.

10/31/2003

Mass emailing Worm (W32.Mimail.C@mm)

Mimail.C is a new variant of an existing mass mailing worm that is capable of ‘stealing’ various types of information from infected computers. It arrived on Campus on 10/31 and IS filtered by our email server and the Campus version of Norton Antivirus Corporate Edition.

This worm will appear in your mailbox as a message from james@esf.edu or james@syr.edu (which does not exist) Delete these email messages immediately.

Typical message subject:

Re[2]: our private photos [random sequence of letters]

Typical message body:

Hello Dear!, Finally i've found possibility to right u, my lovely girl :) All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX :) Right now enjoy the photos. Kiss, James. [random sequence of letters]

Typical attachment: photos.zip

For information on this threat from Symantec, please click here.

10/7/2003:

Trojan Horse (Trojan.Qhosts)

This Trojan is also known as QHosts-1

"Trojan.Qhosts cannot spread by itself. For a computer to become infected, you would have to open an HTML page that contains code, which allows it to open a viral HTML file on the target computer, so that the script can create and run the malicious executable." -- Symantec

People using the Campus version of Norton Antivirus Corporate Edition are currently protected.

	For information on this threat from Symantec, please click here.
	To obtain the removal tool, click here.

9/22/2003:

Mass emailing Worm (W32.Swen.A@mm)

This worm is also known as Worm.Automat.AHB

Typical message subject: Varies

Typical message body: Varies -- below is an example:

“Microsoft Customer

this is the latest version of security update, the "September 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to help protect your computer. This update includes the functionality of all previously released patches.”

Typical attachment: Attachment name is built as follows:

Worm selects one of the following predetermined names:

Patch

Upgrade

Update

Installer

Install

Pack

Q

Followed by a series of random numbers.

And a file extension that is either .exe or .zip.

This worm will also spread via Kaza, IRC, Network File sharing, and newsgroups. One form of this worm will ask for personal email account information.

This message is not from Microsoft. If you receive one of these messages, please delete it immediately. Microsoft will never send a user patches or updates in the form of attached files.

	For information on this threat from Symantec, please click here.
	To obtain the removal tool, click here.

9/2/2003:

Mass emailing Worm (W32.Dumaru@mm)

Typical message subject:

"Use this patch immediately !"

Typical message body:

"Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!"

Typical attachment: patch.exe

If you receive one of these messages, please delete it immediately. Microsoft will never send a user patches in the form of attached files.

	For information on this threat from Symantec, please click here.
	To obtain the removal tool, click here.
	For information about the removal tool, click here.

8/19/2003:

Mass emailing Worm (W32.SoBig.F@mm)

Typical message subjects:

	Re: Details
	Re: Approved
	Re: Re: My details
	Re: Thank you!
	Re: That movie
	Re: Wicked screensaver
	Re: Your application
	Thank you!
	Your details

Typical message body:

	"See the attached file for details "
	"Please see the attached file for details."

Typical attachment:

	your_document.pif
	document_all.pif
	thank_you.pif
	your_details.pif
	details.pif
	document_9446.pif
	application.pif
	wicked_scr.scr
	movie0045.pif

For information on this threat from Symantec, please click here.

To obtain the removal tool, click here.

For information about the removal tool, click here.

8/12/2003:

Windows Blaster Worm:

1/15/04: New Microsoft tool to remove the remnants of the Blaster or Nachia Worms. This tool also solves the problem caused when a user patches an already infected machine. Please click on the link below and choose 'Open' or 'Run,' and acknowledge any security warning, when prompted to run this tool. All ESF Users with Windows 2000 or Windows XP should use this tool.

Run the Microsoft Blaster clean-up tool now (1/15/04).

A Flaw in Windows NT, 2000, and XP is being exploited actively at SU and ESF. Windows 95, 98, Me, and Macintosh systems are not affected at this time. Please determine your version of Windows and install the appropriate patch below to assure you are protected:

Windows NT 4: Click here to install (requires service pack 6a)

Windows 2000: Click here to install (requires service pack 4)

Windows XP: Click here to install (requires service pack 1)

After clicking the above link, choose 'Open' (or select 'Run...') and the program will automatically run. Click 'Next', agree to the license agreement, and click 'Next' to proceed.

	The ESF Campus version of Norton Antivirus is currently protecting against this threat, but all users should perform this update (or run Windows Update) as a precaution.
	This update can also be obtained by running Windows Update. Click here for details.

If you think you may be infected:

If you have experienced any unexpected shutdowns while using your computer since 8/11/03, please install the above patch and also click here to run the Symantec removal tool for this threat. Find out more about the removal tool here.

Please call CNS for assistance: X6946, X4853, X6638

See an expanded list of virus threats here.


	Run Windows Update: Click here to find out how to run Windows Update to keep your machine secure with the latest Microsoft Security fixes. Automatic Updates Automatic update is a version of Windows update. If you ever see the 'earth and flag' icon (see below) in your PC's system tray (next to the clock), just double-click on it and follow the instructions to install any waiting updates.


	Install the ESF Campus Antivirus protection: *Now for ALL* PCs that reside on the ESF Campus Network! Click here to find out how to install the Campus version of Norton Antivirus Corporate Edition. NOTE:** This is the original version of Norton Antivirus Corporate Edition on the ESF Campus. If you see the shield icon (see below) in your system tray, then you do not need to do this again.


	What Operating System and Service Pack are you using? Right click on the 'My Computer' icon on the desktop or under the Start menu and choose properties. The 'General' tab will tell you both your operating system and what Service Pack you have installed.