Virus Advisory: February 2005 Archives

02/23/05 : Windows Virus Alert: W32.Assiral@mm, W32.Sober.K@mm, Others

02/17/05 : WINDOWS VIRUS ALERT: W32.Mydoom.AX@mm on Campus

Windows Virus Alert: W32.Assiral@mm, W32.Sober.K@mm, Others

Posted on February 23, 2005 04:19 PM

CIS has received reports of virus activity on campus, proliferating through email. The most commonly reported viruses affect Windows computers (95/98/Me/NT/2000/XP and Windows Server 2003).

W32.Assiral@mm spreads using an email attachment called "LOVE_LETTER.TXT.exe."
Details of the virus and removal instructions can be viewed at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.assiral@mm.html

W32.Ahker.E@mm is a mass-mailing worm that reduces security settings, prevents access to certain Web sites, and may block access to programs.
For further details and removal instructions, see:
http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.e@mm.html

W32.Sober.K@mm email will be in English or German, seemingly from the FBI, Security, Webmaster, and other sources, carrying an attachment with a ".zip" extension.
Further details and removal instructions may be viewed at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.k@mm.html

Be sure that you have Symantec Antivirus installed with updated virus definitions, and never open unexpected attachments.

If you believe your computer is infected with any of these viruses and you would like assistance with removal, please contact the Brown Help Desk at 863-HELP (4357).

WINDOWS VIRUS ALERT: W32.Mydoom.AX@mm on Campus

Posted on February 17, 2005 08:37 AM

NOTE: There are now certified definitions for Mydoom.AX available through Symantec Live Update. You may want to run Live Update manually if you aren't sure how your client machines are configured. Please keep in mind that Symantec Antivirus is unable to scan password protected zip archives so please just delete them.

Affected OS
* Windows 95
* Windows 98
* Windows Me
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Not Affected OS
* DOS
* Linux
* Macintosh
* OS/2
* UNIX
* Windows 3.x

How Do They Propogate
* Typical mass mailer - appears to originate from Brown administration
* Self-contained SMTP engine so it can send out mail
* Gathers email addresses from infected machines

Risk
* High
* Remote access possible via backdoor opened

Impact
* Numerous compromised machines in dorms and departments

Symptoms of Infected Machines
* Creates the following files: "%Windir%\java.exe" and "%Windir%\services.exe" (a Trojan horse detected as Backdoor.Zincite.A)
Note: "%Windir%" is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* High volume of atypical SMTP activity from infected machines
* Instability

Remediation for Infected Users
* Use removal tool available from Symantec for download at
http://www.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html
* CIRT tickets will be filed for detected infected machines.
* Vulnerability scans will be performed prior to machine unfilter.

Actions for All Users
* Verify that Symantec Antivirus definitions are up to date (2/16/2005 rev. 24)
* Verify that File System Realtime Protection is enabled (i.e. gold shield in system tray)

Handling
* All users who need assistance should contact the Help Desk at 863-HELP.

[an error occurred while processing this directive]
Virus Advisory: February 2005 02/23/05 : Windows Virus Alert: W32.Assiral@mm, W32.Sober.K@mm, Others 02/17/05 : WINDOWS VIRUS ALERT: W32.Mydoom.AX@mm on Campus Windows Virus Alert: W32.Assiral@mm, W32.Sober.K@mm, Others Posted on February 23, 2005 04:19 PM CIS has received reports of virus activity on campus, proliferating through email. The most commonly reported viruses affect Windows computers (95/98/Me/NT/2000/XP and Windows Server 2003). W32.Assiral@mm spreads using an email attachment called "LOVE_LETTER.TXT.exe." Details of the virus and removal instructions can be viewed at: http://securityresponse.symantec.com/avcenter/venc/data/w32.assiral@mm.html W32.Ahker.E@mm is a mass-mailing worm that reduces security settings, prevents access to certain Web sites, and may block access to programs. For further details and removal instructions, see: http://securityresponse.symantec.com/avcenter/venc/data/w32.ahker.e@mm.html W32.Sober.K@mm email will be in English or German, seemingly from the FBI, Security, Webmaster, and other sources, carrying an attachment with a ".zip" extension. Further details and removal instructions may be viewed at: http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.k@mm.html Be sure that you have Symantec Antivirus installed with updated virus definitions, and never open unexpected attachments. If you believe your computer is infected with any of these viruses and you would like assistance with removal, please contact the Brown Help Desk at 863-HELP (4357). WINDOWS VIRUS ALERT: W32.Mydoom.AX@mm on Campus Posted on February 17, 2005 08:37 AM NOTE: There are now certified definitions for Mydoom.AX available through Symantec Live Update. You may want to run Live Update manually if you aren't sure how your client machines are configured. Please keep in mind that Symantec Antivirus is unable to scan password protected zip archives so please just delete them. Affected OS * Windows 95 * Windows 98 * Windows Me * Windows NT * Windows 2000 * Windows XP * Windows Server 2003 Not Affected OS * DOS * Linux * Macintosh * OS/2 * UNIX * Windows 3.x How Do They Propogate * Typical mass mailer - appears to originate from Brown administration * Self-contained SMTP engine so it can send out mail * Gathers email addresses from infected machines Risk * High * Remote access possible via backdoor opened Impact * Numerous compromised machines in dorms and departments Symptoms of Infected Machines * Creates the following files: "%Windir%\java.exe" and "%Windir%\services.exe" (a Trojan horse detected as Backdoor.Zincite.A) Note: "%Windir%" is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. * High volume of atypical SMTP activity from infected machines * Instability Remediation for Infected Users * Use removal tool available from Symantec for download at http://www.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html * CIRT tickets will be filed for detected infected machines. * Vulnerability scans will be performed prior to machine unfilter. Actions for All Users * Verify that Symantec Antivirus definitions are up to date (2/16/2005 rev. 24) * Verify that File System Realtime Protection is enabled (i.e. gold shield in system tray) Handling * All users who need assistance should contact the Help Desk at 863-HELP.
[an error occurred while processing this directive]