UPS Mass Mailer Trojan (week of 21-25th July 2008)

This mass mailed attack was widely distributed throughout the University this week and unfortunately a number of people took the bait.

This mass mailing trojan purports to be from UPS informing you of a missed delivery (although the from address does not look to be a UPS email address) and contains a rather nasty root kit which is installed if the infected zip fileis opened. The exe is set to auto run in some versions as well.

Cleaning instructions can be found at here

Central AV systems are being monitored to keep up with changes to the delivery and payload as it has morphed at least 3 times so far this week.

Microsoft word zero day vulnerability (11 Dec 2006)

NAI have released a threat Notice for Exploit-MSWord.b, detection will be added to the 4915 dat files (Release Date: 10/12/2006)

From the announcement :

Exploit-MSWord.b is an exploit for a new Microsoft Word zero-day vulnerability that drops a password stealer detected as Generic PWS.j. While this threat has been seen in the wild, reports are minimal, but McAfee Avert Labs is releasing emergency dat files as a precaution.

Further information can be found at the Virus Information Library; http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=141056

W32/MyWife.d@MM!M24 aka BlackWorm/BlackMal (25th January 2006)

The MyWife virus (a mass-mailing worm) is currently widespread, but is being filtered out on most Cambridge email systems, including Hermes. However this virus can also be spread via network shares, so it is possible that Cambridge users could be infected by another route eg mail received via external ISPs. Current and previous DATS above 4677 should detect it.

W32/Brepibot (27th October 2005)

A new variant of W32/Brepibot was noticed in e-mail around the University on the morning of Thursday 27th October 2005. This particular distribution of the virus variant was contained in an attachment called Photo and Article.zip.

VirusScan is now capable of detecting and removing the virus if using the 4614 DAT (or later) which is available from the usual Computing Service sources. Running AutoUpdate will install this DAT.

W32/Sober.r@MM (6th October 2005)

The W32/Sober.r@MM has been placed on Medium alert by McAfee.

VirusScan is capable of detecting and removing the virus with the latest 4598 DAT available from the usual Computing Service sources. Running AutoUpdate will install this DAT.

W32/IRCbot.worm!MS05-039 (16th August 2005)

This Internet Relay Chat (IRC) bot worm includes the ability to spread by exploiting systems which are not yet patched for the MS05-039 vunerability. Information on this worm can be found at: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=135491 This worm is designed to contact a remote IRC server and wait for further instructions. The 4560 or later DAT files will protect against it.

W32/Mydoom.bb@MM (17th February 2005)

The W32/Mydoom.bb@MM virus propagates via email, constructing messages using its own SMTP engine. Email addresses are harvested from the victim machine, and the From: address of outgoing messages is spoofed when sending itself out as an attachment. The virus downloads the BackDoor-CEB.f trojan.

The Stinger tool has been updated to remove this virus. VirusScan is capable of detecting and removing the virus with the 4429 DAT. Running AutoUpdate will install this DAT.

W32/Bagle.bj@mm (26th January 2005)

Information on this variant of the Bagle mass-mailing virus can be found at: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=131351 It is characterised by the existence of files called sysformat.exe, sysformatexeopen and sysformat.exeopenopen in the system32 directory. The 4423 or later DAT files will protect against it.

Newly Discovered World-Wide Threats

Network Associates' webpage of newly discovered threats can be found at http://www.mcafee.com/threat-intelligence/malware/latest.aspx. A more general summary of such threats (which aims to cover the differing names they are known by) can be found at http://cme.mitre.org.

Hoaxes

You may sometimes receive warnings forwarded to you by someone you know which describe frightening new e-mail based viruses (e.g. Jdbgmgr.exe hoax). These are almost always hoaxes. These hoaxes can generally be identified by a request to forward the information to everyone you know. No genuine anti-virus information will make this suggestion! More information can be found at: http://www.ucs.cam.ac.uk/docs/faq/security/u1.

Unknown Viruses

If you find that there is no known virus which exhibits the symptoms that you are seeing, and you have a copy of a file that you believe contains the virus code, you can find information on how to submit a virus sample to NAI here: How To Submit A Virus Sample.