Computer Security Alerts

Virus Alert and Protection
THE BEST PROTECTION IS TO KEEP YOUR WINDOWS AND YOUR VIRUS PROTECTION UPDATED.
NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER INFORMATION BULLETIN Mass mailing worm,W32.SobigF@mm Worm is Exploiting Microsoft RPC DCOM Vulnerability W32.Sobig.E@mm virus alert W32/Sobig-C - It will arrive in an e-mail as an attachment with an extension of .pif Dameware installing itself on your computer Klez.E is the most common world-wide spreading worm.
DATE ISSUED: May 24, 2004 NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER INFORMATION BULLETIN SUBJECT: Increase in State Web Defacement Activity. Over the past two days we have seen a significant increase in the number of website defacements impacting state sites (.state.xx.us; .gov, etc.). Eight states had one or more of their state's web sites defaced. It should also be noted that the attacker(s) have successfully defaced sites running varied operating systems and web servers. Although the primary operating system was identified as Windows 2000 running web server IIS/5.0. Please review external facing web servers to ensure they are appropriately patched.
Sobig.F VIRUS SUBJECT: Mass mailing worm,W32.SobigF@mm OVERVIEW: W32.SobigF@mm is a mass-mailing, network-aware worm which is spreading rapidly. This requires anti-virus signatures released today - make sure your AV software is current with all updates as of today. SYSTEMS AFFECTED: Windows 95/98/ME/NT/2000/XP DESCRIPTION: According to the Symantec description of this worm: Sobig.F sends copies using its own SMTP (Simple Mail Transfer Protocol) engine, as an attachment to email addresses it finds in files with the following extensions: .dbx, .eml, .hlp, .htm, .html, .mht, .wab, .txt on a victim's computer. The worm usually arrives in e-mails with the following characteristics: From: The 'From:' field is filled with an address found from the infected system. If no address is found, it will use "admin@internet.com" To: The 'To:' field is filled with an address found from the infected system. Subject, any from the list: Re: Thank you! Thank you! Your details Re: Details Re: Re: My details Re: Approved Re: Your application Re: Wicked screensaver Re: That movie Body, it chooses one from the two following lines: See the attached file for details Please see the attached file for details. Attachment names can be any from: application.zip (contains application.pif) details.zip (contains details.pif) document_9446.zip (contains document_9446.pif) document_all.zip (contains document_all.pif) movie0045.zip (contains movie0045.pif) thank_you.zip (contains thank_you.pif) your_details.zip (contains your_details.pif) your_document.zip (contains your_document.pif) wicked_scr.zip (contains wicked_scr.scr) MITIGATING FACTORS: Make sure your virus definitions are current as of today. Filter out .pif and .scr attachments at your email gateway. Since this may also arrive in a zip file, you may want to consider temporarily isolating zip files. REFERENCES: McAfee: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561 Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html Sophos:http://www.sophos.com/virusinfo/analyses/w32sobigf.html Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F ------------------------------------------------------------------ Microsoft Baseline Security Analyzer: As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.1.1 includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows 2000, Windows XP, and Windows Server 2003 systems and will scan for common system misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, IE 5.01 and later, Exchange 5.5 and 2000, and Windows Media Player 6.4 and later. You may download the Microsoft Baseline Security Analyzer at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp Back to Top
From: Information Technology Resources Re: Virus Alert Blaster Worm: Worm is Exploiting Microsoft RPC DCOM Vulnerability - A worm began spreading on the Internet early Monday morning that exploits a recent vulnerability in Microsoft Operating Systems. The worm, dubbed Blaster, takes advantage of a known vulnerability in Microsoft RPC DCOM that affects all current versions of Windows NT, Windows 2000, Windows XP, and Windows Server 2003. The worm begins by targeting Microsoft systems that have not been properly patched for the known RPC DCOM vulnerability. Once the worm detects an unpatched system, it will attempt to download and run a file called msblast.exe. If successful in infecting a system, the worm will propagate itself, modify Windows registry settings, and initiate a SYN flood denial-of-service attack on windowsupdate.com. The worm payload does not contain any additional malicious content; however, because of the nature of the worm and the speed at which it attempts to impact systems, it can potentially create a denial-of-service attack against windowsupdate.com. Removal: Delete the registry key found at: Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value: "windows auto update" String: "msblast.exe" Look for "msblast.exe" running in the task manager. If it is running, kill the process. Delete the file "msblast.exe" found in %systemroot%\system32\msblast.exe Prevention: Install the Microsoft patch available from: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/  security/bulletin/MS03-026.asp ALWAYS KEEP YOUR VIRUS PROTECTION SOFTWARE UPDATED!!!!! Back to Top
W32.Sobig.E@mm virus alert To: The Lehman College Community From: Information Technology Resources Subject: W32.Sobig.E@mm virus alert Recently a virus, W32.Sobig.E@mm has been circulating. The distribution and damage is high. Do not open any email with the following subject: Re: Application Re: Movie Re: Movies Re: Submitted Re: ScRe:ensaver Re: Documents Re: Re: Application ref 003644 Re: Re: Document Your application Application.pif Applications.pif movie.pif Screensaver.scr submited.pif new document.pif Re: document.pif 004448554.pif Referer.pif Also ignore/delete any email with the following attachments: your_details.zip (contains details.pif) application.zip (contains application.pif) document.zip (contains document.pif) screensaver.zip (contains sky.world.scr) movie.zip (contains Movie.pif) If you would like more information on the virus please click on the link below. Thank you. http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html Updated ( 06-029-2003 ) Back to Top Virus Another virus is making the rounds. This one is called W32/Sobig-C. It will arrive in an e-mail as an attachment with an extension of .pif Do not open the attachment. Delete the e-mail and the attachment from your pc. For those of you that use Norton (Symantec) anti-virus software, the latest updates will prevent this virus from infecting your system. We advise updating the virus definition files frequently. More information is available at the helpdesk x.1111. Updated ( 06-05-2003 )
Dameware installing itself on your computer How to Fix: Search for "dwrc" Delete all the files you can. You won't be able to delete dwrcs.exe because it is in use. Then go to Start / Run and type in "regedit"  Go to HKEY Local Machine / Software and delete the "Dameware"  folder. Then restart your computer and delete dwrc.exe  Virus Alert  Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'.   If you have any question,please Email: BuddhaFrancis@msn.com
Back to Top