Office of Information Technology Alerts
|
|
| | Alert | Alert Date | Alert Text | | Internet Access Slowdown | 1/23/2006 | ETSU utilizes 2 redundant sources to connect the university to the Internet. On Monday evening (1/23/3006), one of those providers experienced an outage. The break in the fiber optic line has been identified and service technicians are working on repairing the break. It is expected that service will not be fully restored until Wednesday afternoon (1/25/2006). Our redundant connection to the Internet is still functioning properly but is slower during peak times. We apologize for any inconvenience.
If you have any questions or concerns, please contact the OIT Help Desk at 439-4648 or via email at oithelp@etsu.edu.
| | Scheduled Outage: WWW | 1/15/2006 | ETSUWeb is scheduled to be rebooted on Sunday, 1/15, at 4:00 am. During this reboot, a chkdsk will run, which we estimate will keep web services on this machine down for > 2 hours. The following web services will be unavailable during this outage:
- Antivirus
- Child
- CPIS
- Faculty
- Heart
- Infosys
- Makeadifference
- Orientation
- Photolab
- Studentorgs
- Students
- Uschool
- WWW
We expect the downtime to be confined to our normal scheduled maintenance window, and web services will be available again later Sunday morning. | | Planned server outage | 1/7/2006 |
Information Technology will be working this weekend to upgrade the Alpha servers on campus. This is a hardware upgrade and will improve the performance of the Alpha servers. The servers will have to be shut down for this upgrade to occur. This means that GoldLink, SIS, FRS, HRS and ADS will be unavailable from 8:00am – 10:30am Saturday, January 7, 2006. The servers will be restarted immediately after the upgrade is completed and all services will be restored.
If you have any questions or concerns, please contact the OIT Help Desk at 9-4648 or via email at oithelp@etsu.edu.
| | New Windows Vulnerability | 1/1/2006 | Information Technology has become aware of a new vulnerability in Microsoft Windows 2000 and XP. This vulnerability has been used for numerous attacks on computers from every direction. Computers can be infected via email, web browsing, instant messaging, etc. No antivirus vendor currently has a solution that works for all variations and Microsoft has announced they have no plans to patch this vulnerability until at least January 9th.
In the meantime, OIT has taken the following steps to help protect the integrity of the ETSU network, computers and data:
The dynamic link library (dll) file with the vulnerability (shimgvw.dll) will be 'unregistered' from your computer. Your computer may or may not reboot when this is done. After unregistering, you may have some trouble opening files with a .WMF extension. These are graphics files that are common in Microsoft Office as clip art. When Microsoft releases a patch to this dll, it will be patched and restored.
Known sites on the Internet that are communicating with compromised computers will be temporarily blocked. (69.50.160.* and 85.255.112.*)
These are not perfect but should help prevent infections. In the meantime, please be very careful in your selection of web sites to visit and in the email messages you choose to open.
For more technical information on this vulnerability, you can read the following article:
http://isc.sans.org/diary.php?storyid=994
If you have any questions or concerns, please contact the OIT Help Desk at 9-4648 or via email at oithelp@etsu.edu.
| | SPAM/Phishing | 12/12/2005 | Information Technology has been working to reduce the amount of SPAM mail deposited in your Inbox. This weekend while upgrading the anti-spam software, a configuration file for the spam filter was overwritten. As a result, you may have received emails detailing spam statistics for your mailbox. Messages from esatagent@etsu.edu are legitimate messages, and should not be cause for concern. The reporting has again been disabled, so you should not continue to receive this clutter.
Another concern is that there have been reports from employees who have received phone calls from non-university individuals asking for detailed information about computers or printers. When pressed, the caller identifies themselves as an employee of a non-existent company or they hang up. If you receive such a call, please do not give out any detailed information. Such information could be used to attempt to compromise your computer or the university network. Please report any such attempts to the OIT Help Desk at 439-4648 or via email at oithelp@etsu.edu.
Also, OIT is working to prevent phishing email. If you receive a suspicious email that you consider a phishing email, please forward it to the OIT Help Desk at oithelp@etsu.edu. They will work to determine the legitimacy of the email. If it is determined to be a phishing email, OIT will block any further emails of that type from coming to campus.
If you have any questions or concerns about any of these topics, please contact the OIT Help Desk at 439-4648 or via email at oithelp@etsu.edu.
| | Email Delay | 11/23/2005 | Due to an abnormally high amount of incoming emails to campus, you may see a delay in email delivery for the next 10-15 hours as the backlog is worked through. Mail is still being delivered and working properly. You just may see a delay between the time when it is sent and the time it arrives in your box. | | Student Antivirus | 11/18/2005 | Due to some unexpected issues a few students are seeing with installing McAfee from the OIT Antivirus page, we are blocking student access/downloads until we can determine the nature of the problem. We are investigating and will re-enable student downloads as soon as we feel it is safe to do so. Faculty/Staff access is still enabled. | | Emergency Phones Problem | 11/1/2005 | Emergency phones in the parking lot in front of VA building 178 are going to be out due to some problems in the area. | | Virus Warning | 6/3/2005 | There is an e-mail worm spreading around the region that mimics messages from the system administrator. These messages contain subject lines such as:
Email account suspension
Online user violation
Your Email Account is Suspended For Security Reasons
The message will appear to come from admin@, webmaster@, or some other authoritative-sounding user at its intended recipient's domain. (example: webmaster@imail.etsu.edu or root@etsu.edu).
We would like to take this opportunity to remind you not to open attachments in unexpected e-mails. Spoofing the From: address in an e-mail is trivial, and is a characteristic of almost all e-mail viruses and scams. The Office of Information Technology is currently working with Network Associates to innoculate our mail system against this new strain. In the meantime, keep your computer safe by ignoring or deleting unexpected attachments without launching them.
If you are uncertain whether an e-mail message is safe to open, feel free to contact the OIT Helpdesk. They will be happy to assist you in determining the danger of a particular message.
PHONE: 439-4648
EMAIL: OITHELP@ETSU.EDU
Thank you for your attention.
| | ETSU Administrative Servers Unavailable | 5/12/2005 | The ETSU administrative servers will be unavailable beginning at 5:00pm on Friday, May 13, 2005. The servers will likely be unavailable until the normal maintenance window is completed at noon on Sunday, May 15, 2005. This means the following applications will not be available:
GoldLink
SIS
FRS
HRS
ADS
All other servers and applications should be available as usual.
This unavailability is the result of moving the servers from the Tennessee Eastman hosting facility back to the ETSU server facility.
We apologize for any inconvenience this may cause. If you have any questions, please contact the OIT Help Desk at 9-4648 or via email at oithelp@etsu.edu.
| | Dorm network maintenance tonight | 3/17/2005 | Maintenance will be performed on the dorm network tonight beginning at midnight. The maintence might affect dorm network stability. | | Server outages planned for October 17th. | 10/17/2004 | To better serve the university, Information Technology will be installing enhancements to 2 servers during our normal maintenance window (midnight until noon) on Sunday October 17, 2004.
- The university faculty/staff email server will be upgraded to Exchange 2003. This will provide enhanced security and provide additional features. On-campus users of Outlook will not notice any differences. Users of the web-based email will find that it will now look very similar to Outlook 2003 and will provide many new advanced features previously unavailable to web-based users.
- The Blackboard server will be upgraded with additional disk storage. This will help the server accommodate the increased utilization and improve performance.
- The Systems Support group will be applying operating system patches to the Administrative AlphaServer cluster Sunday morning from 7:00 A.M. until 12:00 noon. Expect each system in the cluster to be unavailable at times during this period.
These servers will not be available during these upgrades. We apologize for any inconvenience this outage may cause. If you have any questions or concerns, please contact the OIT Help Desk at 9-4648 or via email at oithelp@etsu.edu.
| | Email outage | 8/2/2004 | A disk drive failed in the Exchange email server at 5:00am on Monday, August 2, 2004. It was replaced with a working one at 7:20am.
The server is currently rebuilding all the data on the drive and email will be unavailable until approximately noon.
You can check with the OIT Help Desk for more information at 9-4648 or via email at oithelp@etsu.edu. | | New MYDOOM variant | 7/26/2004 | There has been a flood of email coming to campus with a new variant of the MYDOOM virus. We have contacted our antivirus vendor and have received a new update. This update is currently being pushed to all computers on campus. Some of the email comes with a signature indicating it is from the ‘etsu support team’. This is not true.
In the meantime, be careful with attachments with a .zip, .bat or .scr extension. Example infected filenames include:
Announcement.zip
File.scr
Letter.zip
Message.zip
Message.bat
Text.scr
Readme.zip
Instruction.zip
Document.zip
| | TNII Maintenance | 5/10/2004 | TBR technical staff will be doing preventative maintenance on ETSU’s TNII connection to the Internet on Monday, May 10, 2004 beginning at 4:30pm eastern time. This outage should last approximately 1 hour. During this time, the ETSU will maintain connectivity to the Internet through the redundant connection via MountaiNet.
If you have any questions, please contact the OIT Help Desk at 9-4648 or via email at: oithelp@etsu.edu.
| | Network Worm | 4/29/2004 | On Tuesday, April 27th the ETSU network was infected with a new, unknown worm. It went undetected until Wednesday morning. At that time, the network quickly became unusable as infected computers tried to infect thousands of other computers. Antivirus updates were not available to prevent or to clean the worm at that time. Information Technology was able to contain the worm by determining the infected computers and started removing them from the network. Our antivirus vendor was contacted and we received an update from them that was designed to clean the worm. At 5:30pm, the network was restored and all known infected computers were then cleaned. Action has been taken to prevent the worm from propagating across the network, however, it is likely that some computers that were infected were powered down preventing cleaning. On Thursday morning, Information Technology will be watching network traffic closely and taking immediate action to contain and clean the worm. Please turn on computers normally to allow Information Technology to completely detect and clean the worm.
If you have any concerns, please contact the OIT Help Desk at 9-4648 or via email at oithelp@etsu.edu. Students should contact the Student Help Desk at shdesk@imail.etsu.edu.
Thank you for your patience and cooperation. | | Printer Standards | 4/1/2004 | On April 1, 2004, ETSU will institute a new printer standard policy which was approved by the Information Technology Governance Committee. This is being done in order to reduce the total cost of ownership for printing and to recognize significant savings on the hardware maintenance contract.
To summarize, after March 31, 2004, the only printers that will be serviced for hardware problems are:
Laser printer less than six years old on the date of the service call
Ink jet printers less than four years old on the date of the service call
The OIT Help Desk will be able to help determine if your printer is still covered under the maintenance contract if you aren’t sure.
After this date, if you choose to purchase a printer that is not one of the standards listed on the web site shown below, it will not be tagged with an ETSU inventory number; therefore, no hardware support will be given. We can supply you with a list of local vendors that can evaluate and possibly repair it in the event of problems. OIT will be available for limited software support on the non-standard printers.
We have developed a web page for the new printer standards. Please visit http://www.etsu.edu/oit/standards/PrinterStandards.asp for more information.
As always, if you have any questions, please feel free to contact the OIT Help Desk at x94648 or send email to oithelp@etsu.edu.
| | Instant Messaging Restrictions | 3/19/2004 | The Information Technology Governance Committee has requested that the Office of Information Technology begin restricting Internet chat programs due to excessive bandwidth demands and serious security concerns. Internet chat programs include AOL Instant Messenger, Yahoo Instant Messenger and MSN Messenger. There will be no restrictions on any function of the Blackboard server. These restrictions will become effective on March 19, 2004 at 5:00pm.
If you have an academic, research or service oriented use for one of these programs, please contact the OIT help desk at 9-4648 or via email at oithelp@etsu.edu.
| | New long distance service implemented | 3/1/2004 | Information Technology is pleased to announce that the long distance implementation was successful. All long distance calls are now being processed through Vartec/Resicom. As a reminder, you should dial 8, 1 + area code + number and you will hear a short tone. At that time you will enter your PIN number--do not wait until the tone ends, enter your number when you first hear the tone. This new plan will reduce the University’s cost for long distance and allow you the freedom to call from any phone on campus using your PIN number.
We appreciate your patience and help in implementing this new program. We are still experiencing issues with a few fax units across campus due to the wide variety of brands and types of machines. These units will have to be resolved on an individual basis. Should you are have problems with your fax unit please contact the OIT Helpdesk at 9-4648 or via email at oithelp@etsu.edu.
| | VMS AlphaServer Maintenance | 2/29/2004 | On Sunday, February 29, 2004, our VMS AlphaServers will be down from 7:00am until noon for routine disk maintenance.
During this time, the administrative systems (SIS, GoldLink, FRS, HRS, TRS and ADS) will be unavailable.
If you have any questions or concerns, please contact the OIT Help Desk at 9-4648 or via email at oithelp@etsu.edu.
Also, please visit the Information Technology homepage for more information at: http://www.etsu.edu/oit.
| | MyDoom.F virus | 2/23/2004 | On the evening of February 23, 2004, we had a minor outbreak of the new MyDoom.F virus on campus. The antivirus server was patched later that evening when the update was released. Messages containing the virus are now being cleaned as they are received. Desktop and laptop computers on the ETSU network have been updated with this antivirus patch as well. We are currently unaware of any computer now infected with this virus but we continue to monitor the situation.
The virus uses false credentials and changes the name of the sender. You may receive email from off-campus telling you that you have sent a virus. This DOES NOT mean you are infected and you can ignore these messages. More information on the virus can be found at: http://vil.nai.com/vil/content/v_101038.htm
Thanks to everyone who saw a suspicious attachment and deleted it or informed Information Technology before opening it.
If you have any questions or concerns, please contact the OIT Help Desk at 9-4648 or via email at: oithelp@etsu.edu. Also, visit the OIT homepage for more information at www.etsu.edu/oit.
| | ETSU Opening 2 hours late | 2/16/2004 | ETSU classes will begin at 10 a.m. and employees should report at that time.
University School will also open at 10 a.m. All clinics operated by the
ETSU College of Medicine will be on a regular schedule. | | Changes to email server | 2/16/2004 | On February 16, 2004, Information Technology plans to implement 2 initiatives approved by the Information Technology Governance Committee.
Spam. Information Technology will configure the university’s email server to categorize a large percentage of the spam mail sent to campus. This is done WITHOUT examining the content of the message. This will be done by examining the originating server of the email. We will be utilizing a database that is updated to reflect all current known servers utilized exclusively for the distribution of spam. The messages WILL NOT be deleted. It will be placed in your Outlook Junk E-mail folder. You will have the option of reviewing the messages if you would like or you can delete them without ever looking at them. If they are not deleted, they will be automatically deleted after two weeks (see item 2 below).
Deleted Items and Junk E-mail folder. Many university employees run into difficulty when their Deleted Items folder becomes so full they can no longer receive new email messages. Emptying the Deleted Items folder requires you to click on the Tools drop down menu and select the Empty Deleted Items Folder entry in Outlook. This will no longer be required since messages in the Deleted Items and the new Junk E-mail folder will automatically be removed when they are 2 weeks old. If you use the Deleted Items folder to store messages, they will be permanently deleted from the server during this process. No email messages that you wish to retain should ever be stored in Deleted Items folder.
If you have any questions or comments, please contact the OIT Help Desk at 9-4648 or via email at oithelp@etsu.edu.
Also, please visit the OIT homepage at www.etsu.edu/oit for other updates.
| | Patch to Windows being delivered to campus computers | 2/11/2004 | The Office of Information Technology has been made aware of a vulnerability in Microsoft Windows NT, Windows 2000 and Windows XP that could allow an attacker to execute code on exploited systems. This could include code with system privileges that would allow the attacker to take any action on the system including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.
The severity rating for this vulnerability is considered to be critical.
A patch has been provided by Microsoft and is available through the Windows Update option in the Internet Explorer 'Tools' menu.
To better protect your data and the university’s technology, Information Technology will be automating the installation of this patch utilizing campus network resources. It is imperative that you leave your computer turned on between the hours of 8:00am and 4:30pm Thursday and Friday (February 12th and 13th) for this to be accomplished. After your computer is patched, you will be asked to re-boot your computer. The installation of the patch will not be complete until you re-boot your computer. When you see the message on your screen, please save any unsaved work you may have open, and follow the directions to allow a re-boot. Information Technology has tested the patch and does not expect any compatibility problems.
If you wish to read more about the vulnerability, please see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-007.asp
Should you incur any problems after installation of the patch, please call the OIT Help Desk at x94648 or send email to oithelp@etsu.edu. Also, check the Information Technology web page for further updates at http://www.etsu.edu/oit.
| | Electrical work in Dossett Hall | 2/8/2004 | On Sunday, February 8, 2004 from 12:00 midnight to 8:00am, Physical Plant will be conducting electrical work in Dossett Hall. The area they will be working in contains telephone and networking equipment that serves the entire university. Every effort is being made to make sure there are no interruptions in telephone and networking service but as a precaution, Information Technology will have people on site to resolve any issues as quickly as possible.
If you have any questions or concerns please contact the Information Technology Help Desk at 9-4648 or via email at oithelp@etsu.edu. Also, please visit the Information Technology web site at www.etsu.edu/oit for updates.
| | Voice mail system maintenance 2/2/04 | 2/2/2004 |
Last week’s preventative maintenance on the voice mail system was cancelled due to unavailability of parts.
It has been rescheduled for today, Monday, February 2, 2004 from 8:00pm – 9:00pm.
During this time, the voice mail system will be unavailable and new messages will not be accepted.
This will not affect saved messages, outgoing greetings or passwords.
If you have any questions or concerns, please contact the OIT Help Desk at 9-4648 or via email at oithelp@etsu.edu.
| | New MyDoom virus- high risk | 1/26/2004 | A new virus has just been detected by the McAfee organization called W32/MyDoom@MM and is labeled HIGH RISK. This virus is also known as NoVarg. It is using the common method of spreading via infected emails with an attachment that tries to appear as a text document. Unfortunately the virus falsifies the sender and the subject, even the body of the message varies, to make it difficult to identify. All users are encouraged to update their virus scanner; if you need help, please call the OIT Help Desk at 439-4648. However since the sender information is falsified by the virus, it does not mean that the apparent sender's machine is infected. Please do not call the Help Desk to do us the courtesy of alerting us to a particular person's infection; the mail will have been sent by someone other than the listed sender. Merely delete the email before viewing the attachment.
Do not open any attachments that you are unsure of the contents or match the following possible misleading text in the body of the email:
1) The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
2) The message contains Unicode characters and has been sent as a binary attachment.
3) Mail transaction failed. Partial message is available.
If you see an email with any of these three options, please delete the mail immediately.
Please contact OIT if you believe your machine has been infected. | | Voicemail Maintenance | 1/23/2004 | On Monday, 1/26, between the hours of 8:00pm and 9:00pm the campus voicemail system will be inactive for maintenance purposes. No existing voicemail will be lost during this time, but users will not be able to access their voicmail box and new voicemail will not be created. If you have questions or concerns, please call the OIT Help Desk at 439-4648. | | New Computer Virus | 8/12/2003 | A new virus has been recently discovered on campus under the name W32/Lovsan.worm. It has spread rather quickly throughout campus and has been determined to be a "Medium Risk" to an infected computer. ETSU has provided the patches below for Windows 2000/XP.
A patch for Windows 9x users is still in the works. An alert will be given when a patch for Windows 9x is available.
It is highly recommended that all personnel download and install the patch on their computer to stop/prevent the virus from spreading to other computers on the ETSU network..
For Windows 2000 users:
ftp://ftp.etsu.edu/pub/SecurityUpdates/MS03-026/2000/
For Windows XP users:
ftp://ftp.etsu.edu/pub/SecurityUpdates/MS03-026/XP/
More information about the virus can be found at:
http://vil.nai.com/vil/content/v_100547.htm | | Service Interruption | 8/4/2003 | As part of an on-going effort to improve
the campus network, connectivity to
the Internet will be interrupted for
a few moments on Tuesday, August 5,
2003 at approximately 5:00pm.
This time will be used to help make our Internet connection more fault-tolerant. We apologize for any inconvenience this may cause. If you have any questions or concerns,
please notify the OIT Help Desk by phone (9-4648) or by email (oithelp@etsu.edu). | | Important Computer Virus Announcement | 8/4/2003 | There have been several people who have
received emails indicating their email
account was about to expire. The message
indicates the user should open the attachment
to see the details. The attachment contains
a virus (W32/Mimail@MM). VirusScan should
detect and destroy this virus, but please
do not attempt to open the attachment.
OIT does not expire email accounts in
this manner.
If you’d like more information
on this virus, visit the following
link:
http://vil.nai.com/vil/content/v_100523.htm
If you have any questions, please
contact the OIT Help Desk by phone
(9-4648) or by email (oithelp@etsu.edu).
| | B Variant of Bugbear | 6/5/2003 | Bugbear was one of the most virulent viruses of 2002 and has now returned in a new guise.
The variant is packed with a variety of malicious programs that help the virus spread, steal confidential information, hide its origins and disable security software. PC owners are being advised to update their anti-virus software and be suspicious of e-mail messages they were not expecting.
Lethal package
The new B variant of the Bugbear shares some characteristics of its ancestor as it is designed to exploit vulnerabilities in Windows PCs.
Like many other viruses it exploits loopholes in the popular Outlook e-mail program to infect machines.
In an attempt to stop itself being found and deleted, Bugbear.B looks for copies of well-known anti-virus packages and tries to turn them off.
Bugbear.B also tries to install a key logging program that records which keys a person presses.
Finally, the virus opens up a backdoor to the net that could let its creator take control of any infected machine.
In an attempt to avoid being spotted by anti-virus programs that look for particular signatures, Bugbear.B appears to have the ability to reformat itself as it travels to new hosts.
Get more information about ETSU's antivirus tools from the OIT Antivirus Software Download site
| | Email changes, domain logins and Netscape Calendar | 3/19/2003 | It has come to my attention that many
people did not receive the original email
sent out 2/28/03. I apologize if there
have been any problems created since
we have already updated the Internet
email records to direct all @etsu.edu
email to the Exchange Server. Any email
sent to @access.etsu.edu will still be
delivered to the access email server
until the end of the current semester
at which time the access email server
will be deactivated.
Please use the @etsu.edu when ordering
new business cards or stationary and
on your email signature. If you have
existing business cards, simply strike
through the @access.etsu.edu.
If you are still not converted to
Exchange or are having any problems
with your email, please report the
problem to the OIT Help Desk at x94648
The following is the original email:
We would like to remind everyone
that every computer on the ETSU network
should now be logging into the ETSU
domain and no longer using pwrk12.
It is very important that you use the
ETSU domain consistently especially
if you are using Windows 2000 or XP
as your operating system. If you login
to the old pwrk12 domain, any new documents
that you create will be stored in different
profile on your machine, making them
hard to find. Additionally if you login
to pwrk12, you will be unable to send
emails through the exchange server.
A possible problem area involves
classroom and non-OIT labs that are
not logging into the ETSU domain. OIT
must convert any Windows 2000 or XP
machines, but Windows 95/98 machines
can simply change the login domain.
If you are unsure about the procedure
or the details please contact the OIT
help desk.
During spring break, March 17 - 21,
we are planning on updating the Internet
email reference servers to make @etsu.edu
emails go to the Exchange server instead
of Access. Anyone who is still using
the Access server for their primary
email needs to contact the OIT Help
desk (x94648 or oithelp@mail.etsu.edu
) to let us know so that we can move
your email to the Exchange system.
Additionally any department servers
or systems that use Access as a mail
relay or SMTP gateway needs to contact
OIT Technical Services. For the time
being Access will stay active and @access.etsu.edu
will still go to the Access server,
but we do plan to deactivate the Access
email server. The exact timetable on
the server deactivation will be discussed
at the next ITGC meeting on March 11.
Also those still using the Netscape
calendar system must be off the old
system and converted to the Exchange
calendar by March 19. We will be deactivating
the old CALServ which runs the Netscape
calendar on that day. Again, if you
are not converted to Exchange or need
help in migrating your Netscape calendar
appointments to an Exchange calendar,
please contact the OIT Help Desk.
You can find a schedule for Exchange/Outlook
training posted at http://ats.etsu.edu/registration.htm
As always, if you have any questions
or concerns, please feel free to contact
me.
Alan Baldwin
ETSU OIT Technical Director
423.439.8636
| | Virus alert - W32/Lovgate@M | 2/26/2003 | This is a mailing worm, that also
spreads via network shares, and drops
a remote-access trojan. The worm has
similarities to W32/Plage.worm <http://vil.nai.com/vil/content/v_10541.htm>
in that it drops the same files on
the victim's machine and the message,
which is sent out by the worm. Major
difference is that W32/Lovgate family
is compiled with MSVC while W32/Plage
was created with BorlandC.
Mailing Component
The worm is capable of sending a reply
to all new messages found in the user's
inbox (Outlook and Outlook Express)
by using its own SMTP engine and the
server smtp.163.com.
The worm has capabilities of propagating
through network shares. It enumerates
network shares and copies itself recursively
to folders/subfolders The worm drops
a trojan component (77,824 bytes) with
the following filenames: ILY.DLL, 1.DLL,
REG.DLL and TASK.DLL. The backdoor
opens port 10168 on the computer and
will send an email notification to
the hacker that the computer has been
compromised. The following addresses
are intended as the notification recipients:
hacker117@163.com hello_dll@163.com
Information about the infected machine
is also sent to the hacker. This information
may include the system password. Detection
for the backdoor is included in the
4249 DATs as BackDoor-AQJ.
W32/Lovgate@M is a MEDIUM-ON-WATCH
mass-mailing worm, that
spreads via network shares, and drops
a remote-access trojan.
The worm is also capable of sending
a reply to all new
messages found in the user's inbox
(Outlook and Outlook
Express). The infected email can come
from addresses that
you recognize and may contain the following
information:
Subject: [content varies]
Body: [content varies]
Attachment: [It will attach itself
to the message
using one of the following names:]
fun.exe, images.exe, news_doc.exe,
s3msong.exe,
pics.exe, billgt.exe, midsong.exe,
PsPGame.exe,
hamster.exe, setup.exe, tamagotxi.exe,
joke.exe,
docs.exe, searchurl.exe, card.exe or
pics.exe
Current and up-to-date VirusScan users
are protected from
this threat.
Learn More about W32/Lovgate@M:
==> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=4977
Scan for W32/Lovgate@M:
==> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=4978 | | Virus Threat Alert! | 2/4/2003 | Please carefully read the Virus
warning below that has been
forwarded to us from TNII.
Much of the text is technical
in nature and included only
as information. The main point
is if you receive any email
with the subject line "War
with Iraq" or some variation,
do not open the email.
Thank you for your attention.
Alan Baldwin
ETSU OIT Technical Director
423.439.8636
abaldwin@mail.etsu.edu
TNII Security Advisory
Date: 02-04-2003/18:09:00
EST
Subject: Virus Advisory
Audience: TNII Operations
Group (OIR, TBR, LLG and
UT), TNII Partners
(EDS PMO Personnel and BellSouth)
Severity: Major
EDS SPPS Global Information
Assurance Services has received
information that US Department
of Defense is warning employees
to be on the look out for
a new email chain letter
with a malicious payload.
The email contains the subject
line: "War with Iraq"
or some variation thereof.
While GIAS engineers have
not seen a public release
today in our search, it still
may bear watching. Even if
you recognize the sender
it should not be opened and
should be deleted, unless
you have specific business
requirements for receiving
email on the impending conflict
with Iraq. Please ensure
that all virus software contains
the latest Virus Definitions
published by the Virus software
vender.
Description:
No new Virus or Worm has
been specifically identified.
However, several Viruses/Worms
were released in 2002 related
to the possible US action
in Iraq; VBS.Melhack@mm is
a Visual Basic script worm
that spreads by emailing
itself to all the contacts
in the Windows Address Book.:
Also Known As: I-Worm.Melhack
[AVP], VBS/VBSWG.at [McAfee],
VBS/Kamil.B.Worm [CA]
Type: Worm
Systems Affected: Windows
95, Windows 98, Windows NT,
Windows 2000, Windows XP,
Windows Me
Systems Not Affected: Macintosh,
UNIX, Linux
EDS TNII Security Response:
EDS SPPS Global Information
Assurance Services engineers
are passing this information
on to the EDS Malicious Code
Team; GSOC Enterprise Services
for further research. Additional
Technical Information: A
Malaysian virus writer who
is sympathetic to the cause
of the al-Qaeda terrorist
group and Iraq and who has
been connected to at least
five other malicious code
outbreaks is threatening
to release a mega-virus if
the U.S. launches a military
attack against Iraq.
The virus writer, is thought
to have written or been involved
in the development of the
VBS.OsamaLaden@mm, Melhack,
Kamil, BleBla.J, Nedal, Tanatos
and W32/Bugbear. It has been
widely reported that he has
developed and tested a "three-in-one"
megaworm code-named Scezda
that combines features from
the well-known SirCam, Klez
and Nimda worms.
Solomon Masembwa
EDS U.S. Government Solutions
GIAS SPPS "An ISO 9001:2000
Organization"
TNII Project
| | Worm Alert | 1/27/2003 | You may be aware of the newest virus/worm threat that surfaced this past weekend affecting Microsoft's SQL 2000 servers and caused Internet performance problems.
Due to recent security upgrades, ETSU's network was not affected, but we are urging any faculty or staff member that may be using SQL server to insure that adequate patches and updates are in place.
There are a few SQL servers setup to allow access from the Internet that OIT does not administer and if these became compromised, other non-OIT SQL servers could be quickly infected.
Information on the proper patches and advisory information are contained in the following links:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
CA-2002-22 - http://www.cert.org/advisories/CA-2002-22.html
VU#370308 - http://www.kb.cert.org/vuls/id/370308
Please let us know if we can provide any assistance.
Alan Baldwin
ETSU OIT Technical Director
423.439.8636
abaldwin@mail.etsu.edu
| | Alpha Server Upgrade | 1/16/2003 | Beginning at approximately 2pm on Saturday, January 18, 2003 through Sunday the 19th, OIT will be performing another major step in the Alpha server clustering project. During this time, all the major business applications (SIS, FRS, HRS, ADS, Access email, Goldlink, Focus, etc) will be moved on to newer, faster, and redundant disk drives. This major step will maximize the already improved performance that we hope you have noticed during the last few months.
The systems will be unavailable until Monday morning, the 20th, at 8am except for the Access email system which will be available Sunday night. The Exchange email system, IMail, Internet and other campus servers will not be affected.
We apologize for any inconvenience, but this is a necessary procedure required to implement the most efficient system possible. As always if you have any questions or comments please feel free to contact me.
Alan Baldwin
ETSU OIT Technical Director
423.439.8636
abaldwin@mail.etsu.edu
| | W32/Sobig Virus | 1/14/2003 | Dubbed W32/Sobig, the mass-mailing worm has claimed the No. 2 slot on MessageLabs' list of most-active malicious attachments, with the company capturing almost 10,000 copies of the virus from e-mails in the past 24 hours. However, those numbers fall short of those tallied by major computer-virus threats such as Klez, which retains the No. 1 slot on the e-mail service provider's list after nine months in circulation.
Like other Internet computer worms in the past year, Sobig has spread less among corporate users and more among home users — many of whom are uneducated about computer security. Network Associates ranked the Sobig virus as a medium threat to both corporate and home users.
The virus can infect all versions of Microsoft's Windows operating system. PC users will likely encounter the Sobig virus first as a PIF (process interchange format) e-mail attachment from big@boss.com. The subject will typically be Re:
| | New Virus: Lioten | 12/18/2002 | NAME: Lioten
ALIAS: Iraq_oil, Datrix, W32.Lioten, W32/Lioten, I-Worm.Lioten
Lioten, also known as Iraq_Oil, is a Windows network worm spreading through shared folders. It was found on December 16th, 2002 in the wild. Lioten does not spread through e-mail at all. Instead, it scans the internet for Windows 2000 and Windows XP machines which have shared folders with other users and are not protected by a firewall. Once a suitable machine is found, the worm guesses a password, logs in to the machine, copies itself over as an EXE file (usually named iraq_oil.exe) and executes it. After this the worm restarts spreading.
There is no further information on what the worm does in addition to spreading. Also the reason for the reference to Iraq is unclear. The worm exploits the Windows Server Message Block (SMB) service at a port 445. Basic firewall techniques prevent access to this port. The worm launches 100 threads each of which starts generating random IP numbers using the system clock to generate a seed value. For every generated IP a connection is made to the port 445.
If the connection is successful, it tries to list the list of users in the machine and tries to guess their password, using passwords from an hardcoded internal list which contains a blank password and the following words:
admin
root
111
123
1234
123456
654321
1
!@#$
asdf
asdfgh
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
server
These passwords are tried both in plain text and in Unicode. If the file is copied successfully, a remote task is scheduled so that the process will be run on the remote machine. The executable is packed with UPX.
| | Alpha Server Maintenance | 12/13/2002 | Starting Saturday afternoon December 14th through noon Sunday, December 15 OIT will be performing the next phase in our efforts to improve the performance and reliability of the Alpha servers which host the core business applications such as SIS, FRS and HRS. As a result, the Access email system will be unavailable during portions of this time. This work will not affect the Exchange e-mail system and no emails will be lost. Goldlink will also be unavailable during this period.
As always if you have any questions or comments please feel free to contact me.
Alan Baldwin
ETSU OIT Technical Director
423.439.8636
abaldwin@mail.etsu.edu
|
OIT Home |
Academic Technology Support |
Administration|
ETSU Home |
Human Resources |
Institutional Effectiveness and Planning |
Public Safety |
Students |
Security |
Virus Information
Office of Information Technology
Campus Box 70558
Room 308, Burgin Dossett Hall
East Tennessee State University
Johnson City, TN 37614
Help desk: 423-439-4648
fax: 423-439-5770
|
|
|
