Important:
This Website has been created as a central location where students and faculty/staff
can go to find information as well as patches and fixes for current dangerous viruses that may have infected campus users.
Please run any patches and fixes below that refer to your operating system. If your operating system is listed as a "not infected"
type, then you should be fine.
If you have antivirus software on your system always keep its' virus definitions updated
and "real time" scanning turned on.
Antivirus Software:
- If you are a faculty or staff member, ITDS supplies you with Norton Antivirus software for your campus computer.
You can install this from Netsetup. To get to Netsetup, click "Start" then select "Run". Enter q:netsetup in the box and press enter.
Follow the on screen instructions.
- If you are a student, there are a lot of freeware and demo antivirus software out on the internet.
The Resnet support web site has some virus utility downloads here.
Virus Info and Fixes
W32.Sasser Worm (Discovered on campus 6/1/2004)
Systems infected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
System not infected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
This worm spreads by scanning randomly selected IP addresses for vulnerable systems.
Patches and fixes:
Symantec Security Response has developed a removal tool to clean the infections
of the following variants of the W32.Sasser worm: W32.Sasser.Worm, W32.Sasser.B.Worm, W32.Sasser.C.Worm, W32.Sasser.D.Worm, W32.Sasser.E.Worm.
This removal tool can be found on Symantec's website or by clicking here.
NOTE: Please click the following link and read the instructions on how to run this removal tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html.
If your Norton Antivirus virus definitions are up to date, then you should be protected from this worm.
You can manually update these definitions by downloading the intelligent updater and running it on your computer.
The following link will allow you to download the updater for May 31, 2004 definitions:
20040531-018-x86.exe
W32.Korgo.D and W32.Korgo.E (Discovered on: May 30, 2004)
Systems infected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
System not infected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
These are varients of the W32.Korgo.C worm.
W32.Korgo.C is a worm that propagates by exploiting the LSASS vulnerability on TCP port 445
(as described in Microsoft Security Bulletin MS04-011) and opens a backdoor on TCP ports 113 and 3067.
Patches and fixes:
There is no patch or removal app for this virus at this time.
If your Norton Antivirus virus definitions are up to date, then you are protected from this worm.
You can manually update these definitions by downloading the intelligent updater and running it on your computer.
The following link will allow you to download the updater for May 31, 2004 definitions:
20040531-018-x86.exe
W32.Novarg.A@mm (Discovered on: January 26, 2004)
Systems infected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
System not infected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
W32.Novarg.A@mm is a mass-mailing worm. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip.
When the machine gets infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198.
This will potentially allow a hacker to connect to the machine and utilize it as a proxy to gain access to it's network resources.
In addition, the backdoor has the ability to download and execute arbitrary files.
The worm will perform a DoS starting on February 1, 2004. On February 12, 2004 the worm has a trigger date to stop spreading.
Patches and fixes:
There is no patch or removal app for this virus at this time.
If your Norton Antivirus virus definitions are up to date, then you are protected from this worm.
You can manually update these definitions by downloading the intelligent updater and running it on your computer.
The following link will allow you to download the updater for January 26, 2004 definitions: 20040126-024-x86.exe
Detailed information about this virus and how to remove it can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html
W32.Dumaru.Z@mm (Discovered on: January 25, 2004)
Systems infected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
System not infected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
W32.Dumaru.Z@mm is a multi-threaded, mass-mailing worm that downloads and runs a file, runs a keylogger, and attempts to steal personal information.
The email has the following characteristics:
From: "Elene" (censored)
Subject: Important information for you. Read it immediately !
Attachment: Myphoto.zip
The attachment is a zip file that contains the worm executable as myphoto.jpg .exe". (There are numerous spaces between ".jpg" and ".exe".)
Symantec Security Response has developed a removal tool to clean the infections of W32.Dumaru.Z.
Patches and fixes:
Symantec Security Response has developed a removal tool to clean the infections of W32.Dumaru.Z.
This removal tool can be found on Symantec's website or by clicking here.
NOTE: Please click the following link and read the instructions on how to run this removal tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.removal.tool.html.
Detailed information about this virus and how to remove it can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.z@mm.html
W32.Sobig.F@mm (Discovered on: August 19, 2003)
Systems infected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
System not infected: Linux, Macintosh, OS/2, UNIX, Windows 3.x
Patches and fixes:
To remove this virus download and run the fix.
CAUTION: If you are running Windows Me or XP, it is very important that you disable System Restore before you run the fix.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
The W32.Sobig.F@mm fix: FixSbigF.exe
Instructions on what this fix does and how to use it can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html
Having an antivirus software like Norton Antivirus or McAfee Virus Scan will protect you from this email virus.
You can manually download the newest Norton Antivirus virus definitions from symantecs' download page: http://securityresponse.symantec.com/avcenter/download.html
Download and run the "Intelligent Updater" to manually update your Norton Antivirus definition files.
Information about this virus can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
W32.Welchia.Worm (Discovered on: August 18, 2003)
Systems infected: Microsoft IIS, Windows 2000, Windows XP.
Systems not infected: Linux, Macintosh, OS/2, UNIX, Windows 3.x, Windows 95, Windows 98, Windows Me.
Patches and fixes:
To protect you from this worm download and install the following two patches:
Microsoft patch 815021 (Windows 2000 only)
Microsoft patch 815021 (Windows XP only)
Microsoft patch 823980 (Windows 2000 only)
Microsoft patch 823980 (Windows XP only)
To remove this worm download and run the fix.
The W32.Welchia.Worm fix: FixWelch.exe
Instructions on what this fix does and how to use it can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
Information about this virus can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:
- The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
- The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. IIS 5.0 will most likely be found on Windows 2000 systems.
W32.Blaster.Worm (Discovered on: August 11, 2003)
Systems infected: Windows 2000, Windows XP.
Systems not infected: Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me, Windows NT.
Patches and fixes:
To protect you from this worm download and install the following patch:
Microsoft patch 823980 (Windows 2000 only)
Microsoft patch 823980 (Windows XP only)
To remove this worm download and run the fix.
The W32.Blaster.Worm fix: FixBlast.exe
Instructions on what this fix does and how to use it can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Information about this virus can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html.
W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The worm targets only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable to the aforementioned
exploit (if not properly patched), the worm is not coded to replicate to those systems. This worm attempts to download the msblast.exe file
to the %WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not have a mass-mailing functionality.
|
