Virus Alerts/Hoax
W32/SQLExp.Worm - January 27, 2003
A new worm/virus, variously known as "Slammer" or "Sapphire"
or "W32/SQLExp.Worm" began making the rounds of the Internet
late last week and cropped up on the MSU campus this past weekend.
More instances of it have been detected today on campus and have
been the source of minor, but wide-spread, network outages and extreme
performance problems on the infected hosts. This worm exploits vulnerabilities
identified by Microsoft last July and October in their SQL engine
and can impact both servers and desktop workstations running the
unpatched services. These vulnerabilities and their associated patches
are addressed in Microsoft Security Bulletins at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
More information: http://www.symantec.com/avcenter/index.html
W32.Sobig.A@mm
- January 14, 2003
The W32.Sobig.A@mm worm sends itself to all the addresses it finds
in the .txt, .eml, .html, .htm, .dbx, and .wab files. The email
message has the following characteristics:
Subject: The subject will be one of these:
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample
Attachment: The attachment will be one of these:
Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif
For more detailed information about this new worm, visit the Web
Site:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.a@mm.html
W32.BugBear@mm
- October 10, 2002
For more detailed information about this new worm, visit the Web
Site:
http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html
Klez Worm
- July 3, 2002
The Klez worm is still appearing on campus systems.
Remember as indicated in earlier alerts, the worm attempts to disable
some common antivirus products and has a payload, which fills files
with all zeroes (On the 6th of any month (except January or July),
the worm will attempt to overwrite with zeroes files that have the
extensions .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c,
.pas, .mpg, .mpeg, .bak, or .mp3. If the month is January or July,
this payload attempts to overwrite ALL files with zeroes, not just
those with the aforementioned extensions), which will occur this
Saturday, July 6, 2002. ITS will be taking measures to mitigate
any potential destruction of information under our control; however,
it is your responsibility to check your location system and make
sure the worm does not exist. There is a removal tool that you can
download from http://www.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html.
If you don't feel comfortable downloading and executing the removal
tool, please contact the help desk at 325-0631. In the meantime,
it would be best for you to turn your system off before leaving
for the July 4th holiday.
jdbgmgr.exe HOAX - May 14,
2002
The jdbgmgr.exe file hoax, although not widespread, has arrived
on campus. This hoax tries to persuade you to delete a legitimate
Windows file from your computer. The file that the hoax refers to,
Jdbgmgr.exe, is a Java Debugger Manager. It is a Microsoft file
that is installed when you install Windows. Please ignore any messages
received regarding this hoax. You can read more about this hoax
at the following URL:
http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html
W32.Klez.E@mm - February
25, 2002
A new mass email worm has cropped up today and is rapidly spreading
around the Internet. Several occurrences have been documented
on the MSU campus today.
This virus has been shown to carry a subject line that would
make a user believe that it was a piece of bounced email.
The following link can be visited for more information:
http://www.symantec.com/avcenter/venc/data/w32.klez.e@mm.html
Gone or Goner - December 4, 2001
A new virus/worm is actively propagating on the Internet; the
worm has been dubbed Gone or Goner.
BACKGROUND:
The worm spreads via Outlook email and via IRC. The worm disables
antivirus and personal firewall software (including deletion of
application files). The worm also attempts to spread via IRC, and
allows for remote control of the infected system via IRC.
The worm email has the following structure:
Subject: Hi
Message Body: How are you ?
When I saw this screensaver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment: GONE.SCR
References :
F-Secure - http://www.fsecure.com/v-descs/goner.shtml
Norman - http://www.norman.com/virus_info/w32_goner_a_mm.shtml
TrendMicro - http://www.antivirus.com/vinfo/virusencyclo/default5.asp?
Symantec - http://securityresponse.symantec.com/avcenter/venc/data/w32.goner.a@mm.html
Sophos - http://www.sophos.com.au/virusinfo/analyses/w32gonera.html
W32.Nimda.A@mm - September 19, 2001
A new mass email worm has cropped up today and is rapidly spreading around the
Internet. Several occurrences have been documented on the MSU campus today.
The following link can be visited for more information:
http://www.cert.org/advisories/CA-2001-26.html
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
W32.Magistr.39921@mm - September 3, 2001
A new mass email worm has cropped up today and is rapidly spreading around the Internet.
Several occurrences have been documented on the MSU campus today.
The following link can be visited for more information:
http://www.symantec.com/avcenter/venc/data/w32.magistr.39921@mm.html
W32.Sircam.Worm@mm - August 30, 2001
A new mass email worm has cropped up today and is rapidly spreading around the Internet.
Several occurrences have been documented on the MSU campus today.
The following link can be visited for more information:
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
|
