|
Virus
Prevention Links |
| : : |
UCLA is offering free anti-virus
software, called Sophos, to all students, faculty and staff for use on UCLA computers and personal
home computers until October of 2007.
The software can be downloaded from Bruin OnLine.
It’s very important to follow the instructions.
Take special care to remove your existing anti-virus
software, or at least turn it off, before installing
Sophos. Two anti-virus software packages cannot
run at the same time because they will conflict
and cause problems on your computer. |
| : : |
Trend
Virus Housecall: A web-based
anti-virus scanner that allows you to immediately
check your PC for viruses, without installing
any software. |
| : : |
More Virus Updates: If
you can't find the virus you are looking for on
this site, check Symantec
Security Reponse . |
| |
|
| |
yhoo32.explr
May 2006 |
| |
: : |
Description
This worm affect users of Yahoo Instant Messenger. It puts its own browser called Safety Browser onto PCs, the first recorded incidence of malware installing its own web browser on a PC without the user's permission. It uses the Internet Explorer icon so it can be mistaken for IE. It has two effects:
- The first element is a web browser called "Safety Browser." This stand-alone application has no uninstaller and disguises itself with an Internet Explorer logo in some instances. The application also hijacks the personal homepage in Internet Explorer and points users to Safety Browser's homepage (demoplanet.tv). The hijack also plays looped music that cannot be stopped when the user starts up the PC or Safety Browser.
- The second element is the self-propagating worm. The worm propagates by inserting a link into existing Messenger conversations on an infected PC. When an infected user initiates or joins a conversation, a link is inserted at random points in the conversation.
Yahoo has not yet released a response. |
|
|
Troj/Oscor-B
August 2005 |
| |
: : |
Description
This is an unpatched vulnerability in Microsoft Word 2000, Word XP and Word 2003 that will allow a third party access to the computer affected. From the Sophos site:  "The Trojan horse has not been distributed widely, and appears to have been used by the hackers to target a specific organization. However, if information about how to exploit the Word vulnerability falls into the public domain Sophos warns that more attacks could emerge."
Visit the Sophos website for further information and to download current IDE files. |
|
|
ZOTOB
August 2005 |
| |
: : |
Description
Also known as ZOTOB.WORM
This worm affects the Microsoft OS and can allow others to access the computer, reduce system security, install itself in the Registry, exploit system or software vulnerabilities
Visit the Sophos website for further information and to download current IDE files. |
|
|
Sober-N
May 2005 |
| |
: : |
Description
W32/Sober-N is a mass-mailing worm which sends itself to addresses harvested from the infected computer. The latest version of the Sober worm, known as Sober-N, is being spread around the world using a universal ploy: offering free tickets to the 2006 World Cup finals to be held in Berlin to lure people into opening the e-mail attachment. The Sober-N worm does not harm computers the way traditional worms do. The only thing it does do is clog up your computer and slow it down dramatically. The e-mail sent that contains the worm has the domain name @fifa.de and contains an attachment. Open the attachment and the worm is released on your computer.
Visit the Sophos website for further information.
|
|
|
Bofra & Bofra-B
November 2004 |
| |
: : |
Description
Bofra worms spread via unpatched Internet Explorer security hole:
The newly discovered Bofra worms (which some anti-virus vendors
have incorrectly described as variants of the MyDoom worm) are
exploiting a critical security flaw in versions of Internet
Explorer. This occurs when a link in an email is clicked in Outlook and opens a browser window.
Bofra-B worm poses as PayPal credit card purchase:
Anti-virus experts at Sophos have warned users to be wary of
unsolicited emails appearing to come from PayPal, as they may
be luring the unwary into being infected by the W32/Bofra-B worm.
The worm sends emails pretending to be notification from PayPal of a $175 credit card purchase. Find out what the
emails look like now, and ensure you are protected.
How does the Bofra worm spread?
Since Monday 8 November, Sophos has seen an increase in
activity by the Bofra family of worms which use both email
and a recently discovered Microsoft security vulnerability
to spread. Find out in this easy-to-understand guide how
the Bofra worm spreads from computer to computer.
|
|
|
Download.ject
July 2004 |
| |
:: |
Description
Microsoft teams have confirmed a report of a security issue known as Download.Ject affecting customers using Microsoft Internet Explorer, a component of Microsoft Windows.
Important Users of Windows XP Service Pack 2 Release Candidate 2 (Windows XP SP2 RC2) are not at risk.
Microsoft has released a configuration change for Windows XP, Windows 2000, Windows Server 2003, Windows Millennium Edition, Windows 98, and Windows 98 Second Edition to address this issue. You can find the download patch at Windows Update.
It is reported that is a workaround not an actual fix and some experts are recommending not using IE until it is actually fixed, and ti use Netscape/Mozilla or Opera instead. |
|
|
Sasser
May 2004 |
| |
:: |
Description
Sasser Worm Overview
The worm, labeled Sasser.A, has been propagating
by leveraging a flaw in Microsoft Windows
LSA (Local Security Authority) Service (LSASRV.DLL).
The worm begins by targeting servers running
versions of Microsoft Windows 2000 and XP that
have not been properly patched for the vulnerability.
Sasser has the ability to execute without requiring
any action on the part of the user.
The Sasser
worm can infect any vulnerable computer
that is switched on and connected to the Internet.
Unlike other worms and viruses, it is not
spread by email and does not require any
user action to propagate. In reported instances
so far, the worm has been observed shutting
down a computer then automatically re-booting
it, repeating several times.
Sasser scans random IP addresses for vulnerable
systems. When one is found, the worm exploits
the system by executing a script. This script
instructs the target victim to download and
execute the worm from the infected host.
The infected host accepts this FTP traffic
on TCP port 5554.
Sophos has released a free
removal tool which disinfects computers infected
by the fast-spreading Sasser internet worm
(W32/Sasser-A and W32/Sasser-B).
Home users who do not know if their computers
are running the latest Microsoft security patches
should visit the Microsoft
WindowsUpdate website. |
|
|
MyDoom
January 2004 |
| |
:: |
Description
MyDoom, the latest worm to infect computers
on the Internet, was designed to attack the
Web site of the SCO Group Inc., the small
software maker suing IBM over the use of software
code used for the Linux operating system, experts
said on Tuesday.
The new worm, also known as Novarg or Shimgapi,
is activated when unsuspecting recipients of
an e-mail message open a file attachment that
releases a virus.
Disinfection
information is available for
users of the campus licensed Sophos anti-virus
software. The site also provides further information
on the worm and its effects. |
|
W32/Bagle-A
March & January 2004 |
| |
:: |
Description
March 2004 update
W32/Bagle-A is a worm that
sends itself to addresses harvested from files
on the hard disk. The worm spoofs the "From" field
in emails it sends, which means that it may
appear to have come from someone you know.
The attached file may appear as a calculator
icon. The worm deliberately launches the Calculator
application as a disguise.
Additional Information
|
|
Xombe
(Dloader-L)
January 2004 |
| |
:: |
Description
A new computer virus has appeared, one that
masquerades as a Microsoft patch. The new virus
primarily targets Internet users whose computers
lack any security tools whatsoever and who
can be easily lured into opening an attachment,
supposedly for security reasons. It seems as
if threats like these are going to become a
more common way of breaching systems. Why go
to all the trouble of hacking, when you can
just send a user a nice-looking email and they
will do all the work of installing the backdoor
for you? It's important to view all incoming
e-mail with caution and verify legitimacy before
opening an executable attachment.
The Xombe e-mail attempts to take advantage
of gullible Internet users by claiming to be
a critical update for Windows XP. The Xombe
is a Trojan horse that downloads an executable
file that can launch a denial-of-service attack.
Parts of the Xombe e-mail also attempt to allow
the malicious code past antivirus software.
If you are using Sophos, your software is automatically
updated for the preventative. If you are using
another anti-virus, you should check for the
update.
Additional Information
|
|
Sobig.F
August 2003 |
| |
:: |
Description
Sobig.f is a worm that distributes over network
shares and by SMTP. The virus is sent in its
own ZIP package which allows it to slip by many
email scanners. When the end user opens the file,
it will run a program which will search the local
computer for anything that resembles an email
address. It will then start a program to run
a mail program on the local computer and send
out email to the addresses it found on the local
computer. Sobig.F will use a spoofed from address
so that it is difficult to locate the original
sender of the virus.
During the outbreak of Sobig.F, most of the
anti-virus systems were configured to clean mail
and then send back a notification of infected
mail to both the sender and the receiver. Since
Sobig.F would use random email addresses many
people received multiple notifications that they
had sent virus infected emails, when in fact
their local computer was not infected.
For Further information:
http://vil.nai.com/vil/content/v_100429.htm#Symptoms
http://www.sophos.com/support/disinfection/sobigf.html
|
|
Blaster
August 2003 |
| |
:: |
The MSBlaster/Lovsan/Posa worm
continues to propagate Internet-wide and is a
serious issue at UCLA.
***It is important that you patch all vulnerable
Windows systems and ensure your antivirus software
is up-to-date. Information can be found in the
references below and at many other sites. Windows
NT, 2000, XP and Server 2003 systems appear to
be most vulnerable.
***You may wish to consider blocking specific
ports locally, depending on what services may
be in use within your unit. See the CERT advisory
in reference 2 below for network filtering information.
***Please note that MSBlaster is only one method
for exploiting the underlying Microsoft vulnerability.
It is possible other exploits would allow third
parties to gain pretty much complete control over
vulnerable systems. If these systems have personal
data stored on them and that data is compromised,
it may be necessary to notify people whose data
was compromised. Please see reference 6 for more
information on this.
To Make Repairs
If you have questions, please contact IT Security
Architect John DeGolyer at 7-4949 or john@ais.ucla.edu
REFERENCES
1. General
information
http://reviews.cnet.com/4520-6600_7-5062389.html?tag=cnetfd.sd
http://isc.sans.org/images/port135percent.png
2. Information about underlying vulnerability
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.cert.org/advisories/CA-2003-19.html
3. Antivirus pages on this exploit
http://www.sophos.com/virusinfo/analyses/w32blastera.html
http://vil.nai.com/vil/content/v_100547.htm
4. Blaster worm analysis
http://www.eeye.com/html/Research/Advisories/AL20030811.html
http://isc.sans.org/diary.html?date=2003-08-11
5. Free
scanning tool Retina RPC DCOM Vulnerability Scanner
from eEye Digital Security
6. New
Legislation Requires Disclosure of Security Breaches
of Personal Information Contained in Computerized
Data
|
|
W32/Palyh@MM
May 2003 |
| |
:: |
On May 18, 2003 the W32/Palyh@MM
virus began spreading worldwide. The email is
forged as if it came from "support@microsoft.com"
and the email is about 70 KB in its MIMEd format.
The attachment is about 50 KB after it is de-MIMEd.
A quick analysis of the virus indicates that it
forges its "From:" field as if it came
from "support@microsoft.com" but not
from any other address. This virus, currently
only infects Windows boxes; it probably will not
infect Macintoshes or other operating systems.
NAI has already released the 4265 drivers to
cover W32/Palyh. Please be sure to UPDATE your
.DAT file as soon as possible.
To check your current .DAT file, right-click
on the VShield icon in the System Tray (by the
clock), and choose <About>. If you're current,
it'll say "VirusScan v.4.5.1 SP1" and
then list the definitions version (4.0.4265) and
engine (4.2.40). For more info on this virus,
see http://vil.nai.com/vil/content/v_100307.htm
.
If you have any questions or problems, please
contact Software
Central. |
|
| Microsoft SQL
Worm
January 2003 |
| |
| :: |
Description
An Internet Worm taking advantage of remote
vulnerabilities in Microsoft SQL is currently
wreaking havoc on networks around the nation.
Current reports indicate that a series of Distributed
Denial of Service (DDOS) attacks began at around
01/25/2003 21:00 PST based on this worm. As
the vulnerability is at the server level, server
administrators must take steps to mitigate exposure
of their servers.
Microsoft SQL servers are affected.
Packets involved in worm activity can generally
be characterized in the following manner:
1) Destination port of involved packets is
port 1434/udp.
2) Packet length is ~400bytes.
3) Source IP addresses appear to be real (unspoofed).
4) Destination IP addressses appear to be random.
5) Attack may be accompanied by ICMP packet
storms.
Failure to secure vulnerable servers may result
in the compromise of those servers and subsequent
problems on local networks.
Please see the security
advisory from NGSSoftware regarding network
security implications of the vulnerability (including
firewall recommendations).
Communications Technology Services - Systems
Operations
Network Operations Center
Phone: (310) 206-5345
Email: noc@noc.ucla.edu
Refer to http://www.noc.ucla.edu/operations/notices.html
for the latest CTS notices.
|
|
| KLEZ Virus
June 2002 |
| |
| :: |
Description
During the past few months, there has been an
increase in the proliferation of variants of
the Klez computer worm, an Internet worm that
spreads by creating duplicates of itself on
other computer hard drives, systems, or networks.
Klez usually comes in the form of an email attachment,
and infects PCs running the Windows operating
system. Computers running non-Windows operating
systems are not vulnerable to Klez. Once a computer
is infected, Klez will automatically send out
copies of itself whenever the machine is connected
to the Internet. This usually happens without
the user's knowledge.
Klez also has the ability to spoof the email
"FROM:" field. The sender's address
used by the virus may be one that was found
on the infected user's system. Thus, it may
appear that you have received this virus from
one person, when it was actually sent from a
different user's system. Infected machines have
the ability to send out spoofed email using
a fake "FROM:" address. Doing so makes
it appear that a user sent a viral email when,
in fact, the infected machine is sending out
such messages. This situation adds to the confusion
in tracing the real infected culprit, and complaints
are often generated because of these spoofed
"FROM:" addresses.
To protect your computer from Klez and many
other viruses, you should first make sure that
your Windows operating system is up to date
with the latest patches and updates. The Microsoft
Windows Update site can be found at: http://windowsupdate.microsoft.com/
You should install any critical updates that
are available for your computer.
If you are using an antivirus program, you
should make sure that the program's virus definitions
are up to date and scan your computer for viruses
on a regular basis. If you don't have antivirus
software, McAfee VirusScan is available as a
free download from the Bruin OnLine website
at: http://www.bol.ucla.edu/software/win/
| : : |
There are a number of
free Klez removal utilities available
on the Internet. Symantec
has one available for download. |
| : : |
A more detailed explanation
about the Klez worm family can be found
in the Kaspersky
Virus Encyclopedia. |
Please use the above information to secure
your computer and prevent it from spreading
this worm.
If you have any questions or need assistance
performing any of the above instructions, please
contact the Bruin OnLine Help Desk at (310)
825-7452, option 1.
-Bruin OnLine Help Desk-
|
|
| PROTOS Remote
SNMP Attack Tool
February 2002 |
| |
| :: |
Description
A powerful SNMP (Simple Network Management
Protocol) attack tool may be circulating in
the computer underground. The PROTOS SNMP stress-testing
tool sends thousands of test cases to SNMP
daemons
from a remote system to discover programming
flaws or exploitable vulnerabilities. It has
the immediate ability to crash SNMP daemons
and hardware devices running SNMP. SNMP is
a
widely-used network management protocol on
the Internet. Nearly every operating system,
router,
switch, cable or DSL modem, and firewall is
shipped with an SNMP service
|
|
| Myparty Worm
January 2002 |
| |
| :: |
Description
W32.Myparty@mm is a mass-mailing email worm.
This worm is capable of spreading itself only
between January 25, 2002, and January 29, 2002.
However, it remains active on infected computers
after this period of time. The worm sends email
to all contacts in the Windows address book
and to email addresses that it finds in the
Outlook Express inboxes and folders.The attachment
is an executable file with a .COM extension,
not a URL. Running the attachment infects the
local machine. The worm sends an email that
looks like this:
Subject: new photos from my party!
Message: Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos.
Thanks!
|
|
| Goner Virus
December 2001 |
| |
| :: |
Description This virus affects Microsoft
Internet Information Servers (IIS) 4.0 or 5.0
that run under Windows 2000 or Windows NT 4.0
and have not yet been patched. The virus also
affects users that are running Microsoft Outlook.
**Note: If a user launches the attachment, it
will attempt to delete several windows files.
To read more about this virus, refer to the
following:
|
|
| BadTrans.B Worm
November 2001 |
| |
| :: |
Description
The worm affects Microsoft Internet Information
Servers (IIS) 4.0 or 5.0 that run under Windows
2000 or Windows NT 4.0 and have not yet been
patched. The worm also affects users that are
running unpatched versions of Microsoft Internet
Explorer 5.01 and 5.5 in conjunction with Microsoft
Outlook.
To read more about this worm, refer to the
following:
| :
: |
"Worm
hits home for the holidays"
Known as as BadTrans.B, the worm installs
hacking software on infected computers.
It hit home e-mail users hard last weekend,
but the damage to corporate consumers
was less than previously anticipated. |
| :
: |
"New
Worm Replaces Sircam as No. 1"
An e-mail worm that appears to be a reworked
version of the virulent Nimda infection
is on the loose and in the wild. |
| :
: |
"BadTrans.B
Virus Attacks"
There's a vicious virus circulating through
email and you can be infected, just by
opening your inbox. |
The following provide a more technical analysis:
|
|
| W32.Nimda.A@mm
(Nimda) Worm
September 2001 |
| |
| :: |
Description The worm affects Microsoft
Internet Information Servers (IIS) 4.0 or 5.0
that run under Windows 2000 or Windows NT 4.0
and have not yet been patched.
Please refer to the UCLA
IT Security and Policy Coordinator's Page
for more information and continuous updates
on the worm.
|
|
| Code Red Worm
July 2001 |
| |
| :: |
Description
The worm affects Microsoft Internet Information
Servers (IIS) 4.0 or 5.0 that run under Windows
2000 or Windows NT 4.0 and have not yet been
patched. If you are a CSC or Network Coordinator,
please scan your own networks for vulnerable
systems using this tool and have them patched
before 5:00 pm Tuedsday, July 31:
More
information on scanning for Code-Red
|
search BruinTech 
STAFF 
